Beyond limits: Rise above regulatory hurdles

The Compliance Burden

Continuing to meet regulatory expectations requires maintaining a wide view of various technical subjects on any given day. But what does good look like in the eyes of the Regulator?

Regulatory requirements across compliance frameworks continue to evolve as the UK regulator maintains its focus both on preventing financial crime, and ensuring consumer detriment is minimised.

Key areas continue to be:

Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF): Firms must continue to maintain robust AML/CTF frameworks to detect and prevent illicit activities.

But what does good look like in the eyes of the regulator?
How are firms staying innovative against a backdrop of firm wide reviews by the regulator?

Fraud: Tackling financial crime, including authorised push payment (APP) fraud, continues to be a priority for the FCA.

How are firms regularly evaluating their approach to identifying the fraud risks to better protect the customer?

Sanctions: Keeping on top of evolving sanctions risk is one thing, but how are firms dealing with concerns around sanctions evasion and de-risking?

Is your firm meeting the requirements in a way that best utilises your limited resources?

Consumer Duty: the FCA published updated expectations in Feb 2024 around which shows what firms are doing well, and how they could improve.

Is responsibility for good customer outcomes understood and owned across the business?

Liquidity Risk and Safeguarding: have firms updated their framework approach to safeguarding to incorporate liquidity risk considerations, including stress testing and wind down plans?

ML/ TF and Money Mules

In 2023 the FCA conducted a review of payment account providers’ systems and controls against money mule activity. The findings showed that where firms “have more reported mule accounts than their peers, there is also a lack of MI and senior management oversight to ensure that steps are taken to address the risk and assess the impact of interventions”.

Payment account providers and e-money institutions have a role in disrupting money mule activities, and must be able to demonstrate a proportionate and risk-based approach to ensuring their platforms are not being exploited, and customers are not put at risk by organised crime. This also applies to other UK regulated firms offering retail customer accounts.

Act now

If Senior Management and Compliance haven’t yet reviewed their framework approach top to bottom, then 2024 is the year to do so. Failing to keep on top of money laundering and terrorist financing (ML/TF) risks can result in legal, financial and regulatory risks, including skilled person reviews or costly remediation activity.

Senior Management and MLROs should continue to adopt proportionate approaches that use innovative solutions. For example, bringing in facial recognition systems, device profiling, geolocation data and IP address evaluation. Such data points can feed or enhance a customer risk assessment and help mitigate a range of risks.

Staff should receive targeted training that takes into account changes, latest typologies, and regulatory expectations such as those around money mule prevention. Firms will need proportionate checks that help staff recognise indicators and red flags which may identify ML/TF weaknesses or potential money mules.

Ongoing customer due diligence and monitoring systems should be calibrated to detect common money mule behaviours, as well as new ML/TF typologies. There should be renewed focus on monitoring both inbound as well as outbound transactions.

It’s important that firms plan resourcing carefully and have preferred partners in place to tackle a range of risks and emerging threats. Having contingencies in place to support regulatory requirements, backward looking reviews, operational demands, and volume spikes remains a high priority for firms and should be a discussion area at both Board level, and between Senior Management and Compliance.

A focus on APP fraud

The FCA observed weaknesses in firms’ anti-fraud controls and complaint handling and published their results in Nov 2023.

Examples of common weaknesses in firms’ fraud risk management frameworks and customer treatment include:

  1. Insufficient focus on delivering good consumer outcomes.
  2. Management information and actions often focused on commercial risk appetite, rather than customer impact and treatment.
  3. Improving support provided to victims of fraud including from the first point of contact.
  4. Encouraging customers to report fraud easily and promptly.
  5. Poor complaint handling: often taking too long to respond to customer complaints – remember a payment provider should look into things and send a final response within 15 days (35 days in exceptional circumstances).
  6. Customers provided with decision letters that were sometimes unclear, confusing, or included unhelpful and, on occasion, accusatory language.
  7. Limited evidence that firms are appropriately taking account of characteristics of customer vulnerability when making decisions about fraud claims and complaints.

Note that people typically bring a complaint to the Financial Ombudsman Service (FOS) after a scam and when their payment services provider refuses to reimburse money that’s been lost.

Scams where the customer is tricked into transferring money – called Authorised Push Payment (APP) fraud commonly involves people thinking they are making a payment to a trusted organisation or buying goods or services that never arrive. Many of these complaints are covered by the Contingent Reimbursement Model (CRM Code) – a voluntary code that a number of payment services providers have signed up to.

FOS will look at, and consider, areas such as good industry practice and/or relevant regulatory guidance as well as the terms and conditions of the account from which the disputed transaction was made. This alone makes it important that Compliance not only keeps abreast of developments regarding APP reimbursement for faster payments, but also to review framework contracts to ensure there are no unfair contract terms, with clear line of sight on how fraud and fraud related complaints will be dealt with.

It will also help when APP fraud is investigated as any customer who ignored “Effective Warnings” may be liable. Unless of course they are vulnerable, in which case firms should be aligned to the CRM Code where possible.

The FCA’s high-level evaluation of their approach to fraud risk management, with a focus on APP fraud serves as a reminder for firms to review their fraud framework including:

  1. How engaged senior management are with fraud strategies and the critical elements of operational processes
  2. How innovative fraud detection and prevention systems and controls are, and how metrics show that they continue to operate in practice in the face of evolving fraud attacks
  3. What good looks like when it comes to regular and timely management information that supports appropriate oversight of the risk framework for all types of fraud. Can your firm demonstrate how fraud related management information is reported and acted on?
  4. How does the customer experience and fairness of customer outcomes relate to Fraud? Are Senior Management aware of fraud related complaints? Are they acting on root cause analysis borne from such complaints?

Firms continue to have a difficult job when it comes to first person fraud, chargebacks, disputes and being able to support the victims of fraud so they are treated fairly.

Compliance functions and senior management need to support the business by ensuring customer facing staff are well trained in fraud detection, prevention and management. It is important to consider scenarios that whilst understanding scenarios that cross over into The Consumer Duty and obligations around the treatment of vulnerable customers.


Sanctions is an area that requires constant update of knowledge, and it remains a key focus area for law enforcement and regulators. The unprecedented sanctions regime deployed by the UK in response to Russia’s invasion of Ukraine highlighted the fundamental importance of financial sanctions in tackling threats to the UK and global security. Beyond changes to Sanctions themselves, the Office of Financial Sanctions Implementation (OFSI) are upgrading their guidance which will impact procedures.

The FCA is aware that some firms are no longer offering financial services to entire categories of customers that they associate with higher money-laundering risk, such as those who are resident in a sanctioned country. Policies and procedures to identify, assess and manage sanctions risk must be comprehensive and proportionate to the nature, scale, and complexity of a firm’s activities. A deeper understanding of sanctions is needed coupled with effective enhanced due diligence measures to ensure your firm can safely navigate this important area of compliance.

De-risking (avoiding risk) and over-compliance with the requirement of unilateral sanctions can force consumers to take risks and look for alternative ways to transfer money. Organisations need to be aware that de-risking can lead to corruption and criminal activities. Financial inclusion is a UK regulatory mandate, and firms must ensure they do all they can not to unnecessarily exclude consumers.

2023 evidence published in the Journal of Conflict Resolution, suggests that firms frequently over-comply with U.S. sanctions. This is often because of a nexus with a US strategic partner who themselves must adhere to OFAC sanctions.

Consumer Duty

The FCA published expectations in Feb 2024 around which shows what firms are doing well and what they could do better.

Some highlights:

  • It seems that granular knowledge around The Consumer Duty is still primarily driven by programme teams or Risk and Compliance functions and still isn’t discussed enough at Board level.
  • Senior Management need to ensure that Board appointed champions are driving requirements top down.
  • Good customer outcomes still need to be understood at all levels including in people policies, management information and tracking metrics.

Firms who are waiting to see if the FCA will intervene to address an issue play a dangerous game - especially if there is consumer detriment. The Duty requires firms to proactively identify, and address issues and risks of harm and firms need to incorporate The Consumer Duty into all aspects of the business, including fair value assessments. As evidenced by a recent FCA supervisory notice, firms can still get charging of fees and framework contracts wrong.

The Consumer Duty remains a data led initiative and firms should not be complacent and assume that they can just repackage existing data. The FCA want firms to “think seriously about what information they need to really understand their customers’ outcomes and issues they may be facing”.

There is significant cross over with the treatment of vulnerable customers and firms should be taking note now of FCA good practice including documenting a full review of the firm’s approach, systems and processes, and centralising operations. It is recommended to have champions across all lines of defence and amongst senior management.

Liquidity Risk and Safeguarding

Since 2020, the FCA has expressed concern regarding inadequate governance and controls to manage prudential risk appropriately in the context of safeguarding customer funds.

Maintaining robust prudential risk management is essential, and a liquidity risk framework covers a number of heavy technical subjects such as stress testing, own funds calculations and wind down planning.

Firms must all carry out stress testing to analyse their exposure to a range of severe business disruptions, or the failure of one or more of their major counterparties, and assess whether they would cause the business to fail. Senior Management in conjunction with Compliance should assess any potential impacts using internal and/or external data and scenario analysis.

Liquidity and capital resources affect safeguarding in a number of key areas. Record keeping requirements are there to help any third party, such as an insolvency practitioner (IP), or the FCA, to distinguish relevant funds from the firms’ own money.

If firms are not across this important area, then it is highly recommended to bring in external experts who can assist, as the cost of non-compliance or getting it wrong is high.


The FCA recognise that so many firms are falling short of expectations. The burden and operational strain to keep pace with the evolving regulatory landscape can be complex and onerous and place a heavy burden on internal functions.

Seeking external support can often provide the assurance and confidence to tackle issues head on. DCM have a range of capabilities to help customers fulfil their regulatory obligations and maintain operational performance. Our services enable fast gap analysis to detect potential unidentified risks and areas of compliance immaturity.

We operate 3 business divisions to support the unique needs of our customers:

Managed Service and Outsourcing – supporting Client on-boarding, periodic and on-going reviews and remediation. DCM’s Managed Service allows FIs to draw on flexible and experienced teams so they can embrace opportunities and successfully deliver on their transformation plans

Advisory - Full spectrum expertise across the Anti-Financial Crime and Legal & Regulatory Compliance domain; delivering AML & Safeguarding Audits, Regulatory Application assistance, Policy and Process implementation and retained MLRO services.

Standby Service - providing robust business continuity; Rapid response deployment of DCM’s Taskforce teams to address sharp and sudden volume spikes, BAU surges and overflow (clearing Fraud & Sanctions Alerts, KYC backlogs & Transaction Monitoring reviews).

Reach out for help

DCM has a specialist taskforce operating across the Economic Crime and Legal & Regulatory Compliance space. If your organisation is looking for a cost-effective solution to address complex Regulatory challenges or spikes in operational demand, reach out to our specialist team by email or give us a call.

For more information on all our services please get in touch here.