UK financial services firms have been hit with fines totaling £1 billion since 2021 due to internal control failures, a trend that the Chartered Institute of Internal Auditors (CIIA) says should be a serious concern for the industry.
Widespread Failures in Basic Controls
An analysis by the CIIA of 97 enforcement cases by the Financial Conduct Authority (FCA) found that more than half of the penalties were linked to firms failing to implement fundamental internal controls. Many of these cases involved poor anti-money laundering oversight and inadequate fraud prevention measures.
The CIIA noted that these shortcomings have caused significant harm to consumers and the market, affecting millions of customers. Major financial institutions such as Nationwide, Starling, HSBC, and Barclays were cited for weak internal controls.
In many instances, internal auditing teams had already warned companies about these weaknesses, but the firms failed to take corrective action, particularly in high-risk areas like financial crime.
Zero Tolerance for Failings
CIIA President Arleen McGichen stated, "When more than half of FCA fines are rooted in internal control failures, to the value of over £1bn, this should seriously concern boards across the financial services sector and beyond." She emphasized that in high-risk areas such as anti-money laundering, there should be zero tolerance for internal failings.
Lack of Internal Audit Systems
The report also revealed that thirteen financial services providers were operating without any internal audit system at all, indicating potential gaps in the scope of the FCA's current rules and regulations. The CIIA described the findings as a "wake-up call" for senior management, audit committees, board members, regulators, and auditors.
The CIIA urged the Prudential Regulation Authority (PRA), which oversees more than 1,500 financial institutions including insurance companies, banks, and major investment firms, to strengthen its supervisory approach. Regulators should move beyond oversight and directly challenge firms when their audit coverage is weak, stepping in if high-risk areas like financial crime are delayed, superficial, or non-existent.
