So the UK’s lead regulator the Financial Conduct Authority has pulled its list of High Risk Countries. The previously unpublished list of 95 countries was published on July 18 following a freedom of information request in early July.
According to who you listen to there are between 191-196 Countries in the world, so nearly half of the world is high risk according to the FCA. Nor have the FCA have been willing to disclose the criteria for this assessment (we are told however that this list is not purely driven by Money Laundering risk). If the Regulator won’t show their workings, is it fair that they expect firms to clearly detail the rationale for their risk assessments?
The Government of the Cayman Islands has complained to the FCA that the inclusion of the Caymans was inappropriate and unfair given the level of regulation on the island, and the Caymans rating for AML risk by various international agencies.
This recent development raises some interesting issues. The Risk Based Approach (RBA) clearly requires firms to undertake a risk assessment of their own customers, products, services, jurisdictional exposure and delivery channels. The rationale is that no one understands a firm’s business better than the firm itself. However as we have seen with a spate of UK enforcement cases (e.g. Habib Bank AG Zurich, Alpari Ltd, Standard Bank) these risk assessments must be based on a range of credible internal sources and not wholly subjective judgements. The whole rationale of the RBA is based on the concept that firms can make their own assessments and design controls proportionate to the risk they have identified.
What we are seeing now is firms being asked to play a game overseen by a referee who has a rule book that they are not prepared to disclose.
The FCA’s Financial Crime: A Guide forFirms is another example of the tension between the RBA, and the emergence of prescriptive rule making by stealth. The consolidated thematic reviews of financial crime issues, with their examples of good and poor practice have been criticised by many in the Industry as becoming a de facto compliance checklists. The FCA has denied it is using these lists as a formal checklist but there remain many practitioners convinced they are the benchmark that will be used during monitoring visits.
To be fair to the regulator they are trying to raise standards and achieve fairness in consistency in the regulated sector, but if the RBA is really going to work, firms must be given the freedom to adopt proportionate controls and exercise a degree of subjective judgement. Unless those subjective judgments are clearly irrational or not capable of justification regulators must be willing to accept that there will be differences of opinion. At the end of the day firms must be allowed to manage their own risks with the boundaries of common sense.