UK FCA Updates Analysis on Money Laundering in Wholesale Markets

The FCA provided a summary of its observations across several key themes. While it the FCA notes that it saw good practice and positive progress in process and control frameworks in both large and small firms, it noted that further focus and improvements are required to rigorously mitigate financial crime risks.

Summary observations, good practice examples, and case studies (where applicable) for each key theme are as follows:

[1] Risks and Typologies

The FCA’s review highlighted recurring risk typologies that are exploited in MLTM schemes. These include pre-arranged trades, wash trades, circular trading, Free of Payment (FoP) transactions, and Money Passing. These methods often involve complex transaction chains and the use of high-risk jurisdictions.

Key Typologies

• Pre-Arranged Trading: Coordinated trades executed at manipulated prices to transfer funds between accounts, often flagged through pricing irregularities.
• Free-of-Payment (FoP) Trades: Transfers of financial instruments without corresponding payments, frequently used to evade sanctions or obscure fund flows.
• Mirror and Wash Trades: Transactions designed to simulate legitimate activity while moving funds between accounts.
• Circular Trading: A sophisticated form of wash trading involving multiple participants to obscure transaction origins and destinations.
• Money Passing: A form of wash trading involving money passing between multiple participants to share, clean and conceal money.

Expanded Case Studies Applicable to Energy and Commodity Firms

• Case 5 (Wash Trades): Wash trades executed by parties with shared beneficial ownership, identified through market abuse alerts.

"Wash trades through the simultaneous purchase and sale of shares and index options at identical/almost identical prices by the same direct client, to legitimise the appearance of funds.

The risk was identified through a market abuse surveillance alert, and there were multiple instances over the years involving different direct clients. Due diligence conducted post-trading identified that the trades were executed by 2 different underlying counterparties, but they shared the same beneficial ownership.

Counterparties found in similar examples for this typology were:

• An individual and a legal entity, where the individual is the beneficial owner;
• An institutional and a retail client, with the retail client having capacity to trade on behalf of the institutional one;
• Spouses; and
• An individual account and a joint account, where one person controlled both.

The transaction rationale given was that the counterparties wanted to transfer their positions from one account to the other and maintain the same market exposure."

• Case 6 (Money Pass in fuel contracts): The firm reviewed the trading history and identified over 30 instances of trading between Firm A and Firm B in fuel contracts, where Firm A always made a loss.
• Case 8 (No economic rationale/out of the money trading in crude oil futures): Firm A trades crude oil futures with market participants at the prevailing market price, before trading in the opposite direction with Firm B at a price out of line with the market and beneficial to Firm A. Firm A realises an immediate profit.

Risk Indicators

The FCA provides a non-exhaustive list of risk indicators for firms to be aware of and to consider in their training and controls. Where appropriate, Compliance teams can review and benchmark these indicators against current governance and controls in their firm:

• Former customers exited by the firm attempting to re-apply through different legal entities or parties.
• Small and frequent changes in client details. For example, address (and use of residential and TCSP addresses in higher risk jurisdictions); director (and use of nominee directors with higher risk attributes); jurisdiction changes; beneficial owner changes; entity names remarkably similar to larger credible firms; opaque Ultimate Beneficial Owner (UBO) or no public footprint.
• Multiple connections between firms - either business connections, same phone numbers/address/ID photos, similar activity or transactions between them, or personnel moving between firms.
• Bank accounts in a different jurisdiction to where customer is based.
• Transactions involving no ultimate change in beneficial ownership.
• Significant deviation from historical client trading behaviour or profile.
• Customers with overly complex structures without clear rationale.
• Customers that deposit and withdraw funds in quick succession.
• Unusual or unexpected foreign exchange trades.
• Uneconomic or irrational trading strategies.
• Settlements or payments to/from third parties that have no apparent connection with the transaction or customer.
• Material inconsistencies between CDD and Companies House information.
• Same counterparties on each side of the trade.
• Multiple payment methods/cards, including attempts to directly fund bank and trading accounts from third parties, or failed direct debits.
• Deposits exceeding salary or turnover expectations.
• Accounts linked by devices, for example, PC MAC addresses or mobile phone handset IMEI (international mobile equipment identity) numbers.
• Abnormal funding patterns. For example, no trading between deposits and withdrawals; minimal trading before balance is withdrawn; small positions compared to both size of account balance and normal market trading sizes for instrument; failed or aborted funding and withdrawal transactions; significant funding in a short period without rationale.
• Use of complex and structured products and patterns to launder money, whereby the client is not waiting until maturity, or is content with making a loss on the contract at maturity.

[2] Business-wide risk assessment (BWRA).

“Some firms either had not fully considered or had underestimated the financial crime related risks to which they are exposed and insufficiently documented them as part of a tailored BWRA. This led to a lack of understanding across the firm about how they could be targeted by criminals.”

The FCA provides a case study and broader ‘Good Practices’ to provide market participants insights into expectations of a good BWRA:

Case Study 14

• The firm’s BWRA documents a qualitative and quantitative assessment of the business risks. The BWRA contains firm-specific analysis of a variety of inherent risk factors that include exposure to predicate offences, operating environment, and proliferation finance (PF);
• An impact and probability scoring of 1-5 is assigned to each risk factor and sub-factors to create inherent risk scores. Total inherent risk divided by total risks is calculated to produce an overall inherent risk score that the firm equates to a level of exposure to ML and TF. Key risks, mitigation and actions taken are also in the firm’s BWRA;
• The firm’s residual risk score is calculated by multiplying overall inherent risk by perceived strength of controls to conclude that residual risk exposures to ML/TF (terrorist financing) is ‘low’; and
• The BWRA outputs are compared to the firm’s ML and TF appetite thresholds to determine whether they are operating within their risk appetite.

‘Good Practice’ observations included:

1. Quantitative and qualitative risk assessment of the specific business and services offered by the firm – and across each legal entity where appropriate;
2. Inherent risks, mitigating factors, controls and residual risks are properly considered and documented;
3. Financial crime related risks and typologies are used to assess the risks of new products and services;
4. Annual red flag analysis covering relevant risk typologies is mapped against the products offered by the firm;
5. Analysing risk typologies against business activity to determine relevance and applicability, feeding typologies into inherent risk scores, and assessing whether sufficient controls are in place to mitigate the risks identified by the typologies; and
6. Supporting risk registers for each area of the business.

[3] Customer Risk Assessment (CRA).

“CRA processes generally consider a range of appropriate risk factors and are increasingly using weighted factors. Well thought through country risk assessment processes are also more commonplace. However, firms often failed to thoroughly document their CRA methodology or the rationale for the risk rating of a customer where it had been updated or overridden. Not all firms were distinguishing between domestic and foreign Politically Exposed Persons (PEPs) and considering this in their CRA processes.”

The FCA provides a case study and broader ‘Good Practices’ to provide market participants insights into expectations of a good CRA:

Case Study 17

• The firm has a spreadsheet that is completed by the onboarding team. It contains detailed questions and risk scoring for the following categories: product and service (10%); customer type (20%); customer industry (10%); geographical (30%); relationship structure (5%); adverse media and PEP (25%).
• The total risk score per category is multiplied by the weightings above to create a total risk score. This risk score aligns to a high/medium/low CRA rating and determines the level of due diligence to be completed.
• The spreadsheet also alerts the reader if they need to escalate to the Money Laundering Reporting Officer (MLRO) for approval and has a chapter for manual overrides and its rationale. It also prompts the user to consider the presence of other risk factors and information that would require additional action to be taken.

‘Good Practice’ observations included:

1. CRA process considers a variety of financial crime related risks specific to the business.
2. Appropriate consideration given to factors that present higher risks, weighting risk factors, and documenting how risks are mitigated.
3. Clear audit trail of customer risk rating overrides and rationale.
4. Clear methodology for assessing country risk on an ongoing basis.

[4] Know your customer (KYC) and Customer Due Diligence (CDD).

“Onboarding and KYC processes have generally developed to better consider proportionality and customer risk. Firms tend to consider a range of triggers to initiate a customer review or refresh of due diligence. However, there remains an inappropriate reliance by some market participants on other parties in the transaction chain completing appropriate due diligence. Many firms are also not recording and considering the nature, purpose and expected activity on customer accounts.”

The FCA provides several insightful observations from its review regarding short cuts firms are taking when determining whether to conduct CDD. One in particular was a firm’s reliance on exchanges to perform CDD on counterparties they were trading with, however the FCA refuted the presumption upon which this approach is based:

"We noted instances where firms were informally depending on other counterparties in the transaction chain completing appropriate CDD or on the customer being a regulated entity in a jurisdiction of equivalence.

The perception that customer ML risk is lower with exchange trading as exchanges have better visibility is unfounded. Exchanges complete CDD on members but do not (and are not expected to) complete CDD on the underlying customers. This informal dependence is often inappropriately used as justification for customers, transactions and the business being low risk. Unless appropriate reliance."

‘Good Practice’ observations included:

1. Independently verifying ID, adverse media, and documents received where possible;
2. Getting relevant information to enable an assessment of the customer’s systems and controls (for example, policies, information on the firm and the regulatory regimes they operate in);
3. Defined risk-based trigger approach for reviewing and monitoring accounts.
4. Matrix of AML requirements (for example, documents to request, checks to complete, rationale) per type of institutional customer and by customer risk rating;
5. 4-eyes checking of onboarding activities before a customer is approved.
6. Checklist of tasks to complete during a customer periodic review and refresh;
7. Re-completing onboarding KYC process after a period of non-trading.
8. Firm to firm discussions to raise queries on documents, consider changes in risk profile, and understand customer activity;
9. Identifying if the customer is acting as agent or principal and tailoring CDD accordingly;
10. Assessing MI on upcoming periodic reviews to make sure resourcing is available;
11. Firm’s compliance staff met with the client’s compliance officers and other Senior Executives at the client’s offices to discuss and understand their systems, controls, processes and procedures as part of the KYC process; and
12. Requesting a Wolfsberg questionnaire, where appropriate, to support due diligence processes.

[5] Governance and Oversight.

“Firms are developing a tailored approach to formal governance and oversight, to promote oversight and challenge over processes, controls and outcomes. Management Information (MI) reporting on clients onboarded, risk ratings, and surveillance hits has progressed and is generally sufficient to provide relevant updates to management.”

MI Reporting. The FCA review found MI reporting was used to inform and drive senior management decision making, as well as supporting the business and its systems and controls. Firms with larger customer bases often produce monthly packs that combine:

• AML monitoring (customer rejections, new accounts by risk rating, top 10 high-risk customers, screening figures, periodic review backlog, SARs, breaches, QA/QC (quality assurance /control) results);
• TS/TM joint monitoring (alerts, updates);
• Regulatory monitoring; and
• Project updates.

‘Good Practice’ observations included:

1. Formal governance processes to discuss, review and approve customer onboarding;
2. Monthly reporting of onboarding, TM, TS and other ML data statistics for staff and senior management awareness and decision making; and
3. Independent QA/QC undertaken on policies, procedures, controls, case reviews.

[6] Transaction monitoring (TM).

“We found that firms have significant ongoing challenges with TM. Collaboration has improved between TS and TM teams to identify and review potentially suspicious activity. However, most firms have found that using their current automated TM systems in isolation provides limited success in identifying suspicions of MLTM. Automated systems and their alerts are also more often tailored to TS than TM. Firms are not consistently considering how to use TM as part of an integrated process to assist with ongoing monitoring, risk assessment, KYC and record keeping processes to better mitigate MLTM risk.”

 RegTrail Insights

Transaction Surveillance (TS) and AML Transaction Monitoring (TM) alerts historically are siloed and were monitored independent of one another. More recently, firms are converging their TM and TS alerts in one system and managed by the same core surveillance team. In this model, TS alerts are first identified and reviewed by first line surveillance teams while any alerts that require escalation are then forwarded either directly to the MLRO or someone in the AML Compliance team for further investigation.

Several trade surveillance firms offer AML transaction monitoring solutions however many have attempted to build these themselves and failed. Firms are left with three choices:

(i) Build bespoke alerts within existing trade surveillance platforms;

(ii) Build bespoke alerts internally; or

(iii) Identify and procure a third-party TM solution.

Many firms have been reluctant to spend on an AML TM solution in isolation given the cost to implement versus regulatory risks. Given the FCA’s focus in this report, firms should re-review their business case for AML TM in 2025 and leverage this report to aid in securing funding to implement where AML TM gaps are identified.

The FCA highlighted that most firms appeared “to find it easier to identify instances of market abuse than ML” noting that some firms are combatting this through closer working and collaboration between TS and TM teams. The FCA stressed that this area still requires significant consideration by firms noting that larger firms had separate TS and TM teams, whereas smaller firms often used the same personnel.

It noted that many firms did not appear to have considered how best to use KYC and customer information to support, refine and make TM more effective. Some firms incorporate customers’ expected behaviour into alert management systems. However, many firms do not consider customer risk ratings, customer activity, jurisdiction risk, customer information or business/market risk when configuring and maintaining TS and TM alert and control frameworks. Historical transactions are not often reviewed when new adverse media or information from ongoing monitoring arises.

The FCA was very clear in its message to market participants regarding financial crime monitoring obligations:

"Firms must consider their obligations in relation to financial crime when they have identified activity they suspect may amount to market manipulation and/or insider trading, and should the customer seek to use or transfer the proceeds relating to the suspicious activity."

In addition, it provides a set of TM alerts it observed firms implementing which energy and commodity firms can use to benchmark against current TM alerts within your organisation.

• Split transactions;
• Transactions from one to many or vice versa;
• Client receives/sends and back almost same amount in same day;
• Multiple money movements across borders/high risk jurisdictions;
• Financial Action Task Force (FATF) plenary and grey list;
• Multiple transactions or cumulative amounts in period;
• Spikes in activity for high-risk client;
• Trade size and frequency anomalies, suspicious counterparties, immediate trading in size on account opening, changing client behaviour (products/size of transactions);
• Unusual trading patterns;
• Uneconomic or irrational trading;
• Third-party payments;
• Geographical destination or origin of transaction;
• Payments/receipts with no link to business;
• Bank transfer instructions with equal amounts in/out.

‘Good Practice’ observations included:

1. Embedding risk typologies into TM and TS procedures.
2. Regularly reviewing the TM system configuration to make sure it remains appropriate and effective at managing the risks.
3. The rationale for discounting TM alerts is clearly documented.
4. TM rules are customised for particular clients and product activity.
5. ML suspicions are considered when reviewing TS alerts.
6. The number of false alerts, resourcing required, and residual risk are considered when determining TM controls and system configuration.
7. TS and TM teams work closely, share information, provide cross training, joint reporting, joint risk recording, share high-risk clients lists and accounts of focus, and having clear escalation routes.
8. Compiling a view of actual customer activity over time – comparing this to the KYC information held, discussing it with the customer and updating records where appropriate.
9. Considering actual trade activity against KYC information and triggering a review of the account where appropriate.
10. Inclusion of AML ‘risk words’ in communication surveillance tools and controls.
11. Documenting the risks faced and mitigating TS/TM controls.
12. Considering whether POCA (Proceeds of Crime Act 2002) requires the submission of a SAR where a STOR is raised.
13. Completing an event-driven review of a customer’s KYC following notification from an exchange of a transaction they are investigating.

AI in TM monitoring. The FCA concluded its observations noting that none of the firms it observed had made significant progress in understanding how Artificial Intelligence (AI) could be used for both TM and onboarding processes. The opportunity for firms to leverage AI in TM and onboarding processes will be an emerging topic in 2025.

[7] Investigations and suspicious activity reporting (SAR).

“A significant proportion of firms have limited knowledge of the UKFIU MLTM SARs glossary code. This could impact reporting and wider criminal investigations, and results in a weaker understanding of MLTM risk. SARs reported using the SARs glossary code have increased year-on-year and at a higher growth rate than the full SARs dataset in the same year, but we have seen incorrect use of the code and inconsistent quality of SAR reporting.”

[8] Training, resourcing and policies and procedures.

“Financial crime staff training has become more commonplace at firms. But several firms are yet to tailor training content to their business model, related risks, common red flags and for the different roles that exist in the firm. Resourcing in financial crime functions varies greatly across firms, as does the quality of policies and procedures.”