How can FCA enforcement shape risk management?

Person walking in to building through bridge

Compliance costs may well be lower than enforcement costs.

FCA enforcement cases illuminate critical elements of effective risk and compliance management. What makes these cases fascinating is the interplay between the business (first line of defence), the risk function (second line), internal audit (third line) and the Board - and crucially how the breach eventually came to light. A recent final notice against Nationwide Building Society resulting in a £44 million fine offers useful lessons for the financial services industry.

The events

A recap of the events leading to this enforcement action:

a failure to establish and maintain an adequate anti-money laundering (AML) control framework appropriate to the scale and nature of the business (see paragraph 2.2 of the Final Notice)
a failure to ask the right questions at onboarding (customer due diligence) to effectively understand clients’ requirements and the risks to the business (paragraph 2.10(a))
a lack of risk-based transactions monitoring aimed at understanding a customer’s normal behaviours (paragraph 2.10(b))
significant use of personal accounts for business purposes (paragraph 2.13)
the breach spanned nearly five years - October 2016 to July 2021
the organisation’s cooperation earned a 30% discount on the fine.

Behind these headline facts lies a story of IT systems (and enhancements) that fail to deliver and internal company procedures that don’t seem to be delivering against expectations.

Critical observations

While the published final notice may not capture every nuance, five patterns emerge that should concern every risk professional.

1. When your own policies become regulatory requirements

A crucial insight: while the FCA sets high-level AML expectations, firms translate these into their own mandatory policies and procedures (for example, paragraph 4.32, 4.33 and 4.38). Regulators then treat failures to follow these internal policies as tantamount to regulatory breaches. In other words, your own procedures can become the stick you're beaten with.

2. The missing risk function

The final notice contains remarkably few references to risk oversight or challenge from the risk function. This raises fundamental questions about how present risk was and how the three lines of defence (3LOD) model was functioning. For example, there is little evidence of the risk function’s challenge on the multi-year timeline on non-compliance, the escalation on mounting project risk or the allocation of responsibilities for AML between business and oversight.

3. Risk acceptance without governance

Perhaps most troubling: the business accepted the risk of business use of personal accounts for approximately over two and a half years (paragraph 2.12 and 2.13). The final notice provides no evidence of risk function oversight or challenge of this decision – a striking gap in governance that allowed known issues to fester.

4. Board awareness and challenge

The extent of Board and committee awareness remains unclear. More important, there is no evidence in the final notice of sustained Board-level challenge to the multi-year remediation timelines or the decision to tolerate known risks.

5. Timelines of regulatory engagement

The supervisory timeline is not entirely clear. A 2015 supervisory review identified customer due diligence weaknesses (paragraph 4.13), which management accepted leading to several remediation activities (paragraph 4.14 and 4.17). But meaningful FCA intervention didn't occur until January 2020, triggered by ‘questions from the Authority’ (paragraph 4.40).

From June 2021 (when issues were addressed) to December 2024 (the final notice) represents approximately four and a half years of enforcement action – despite management’s cooperation. It is difficult to be precise about this; we count from the point at which the issues identified were addressed – June 2021, paragraph 4.44. This prolonged timeline itself carries implications for firms facing similar issues. This is a long time and given the nature of the issue would have taken management time and effort. One wonders if firms would prefer a quick resolution as a reward for management cooperation.

Five practical lessons for risk leaders

What should risk and compliance professionals take from this case? Here are five actionable lessons.

1. Clarify AML risk oversight responsibilities

Make crystal clear who owns risk oversight of AML activities and ensure they’re actually doing it. Document it in your policies and test it. The absence of visible second line challenge should be a wake-up call.

2. Strength risk function oversight of project risk

Multi-year remediation programs involving IT require robust project risk oversight. Review and enhance your risk function's approach – particularly around timeline creep and dependencies that never seem to resolve.

3. Formalise risk acceptance

Create formal mechanisms for overseeing risk acceptance decisions, with mandatory periodic reviews and escalation triggers. "We'll launch a product to fix this" shouldn't be acceptable risk mitigation for 30 months (See paragraph 2.13 of the final notice).

4. Get real Board attention

Escalate key matters to the Board—and don't settle for passive acknowledgement. Ensure you're getting genuine engagement, challenge, and follow-through. Board papers should involve decision making or provide assurance, not just record problems.

5. Manage regulatory relationships proactively

Never assume that regulatory silence means approval. Proactively manage FCA engagement, particularly on known issues. The absence of follow-up doesn't mean the issue has gone away - it may mean something worse is brewing.

How can Crowe help?

Crowe helps financial services firms, including building societies, to strengthen the effectiveness and efficiency of risk management solutions, as well as the underlying frameworks. We have reviewed risk appetite, policy, embedding risk management roles and responsibilities, and more broadly help risk functions do more with less and operate in an environment where stakeholders’ expectations are increasing.