Financial Crime Thematic Reviews - FCA HandbookFCTR 17 Managing bribery and corruption risk in...

Financial CrimeThematic Reviews

FCTR Contents

Financial Crime Thematic Reviews

FCTR 1 Introduction

1.1 What is the FCTR?

FCTR 2 Firms’ high-level management of fraud risk (2006)

2.1 Introduction2.2 The FSA’s findings2.3 Consolidated examples of good and poor practice

FCTR 3 Review of private banks’ anti-money laundering systems andcontrols (2007)


FCTR 4 Automated Anti-Money Laundering Transaction MonitoringSystems (2007)


FCTR 5 Review of firms’ implementation of a risk-based approach to anti-money laundering (AML) (2008)


FCTR 6 Data security in Financial Services (2008)


■ Release 53 ● Aug 2020www.handbook.fca.org.ukFCTR–i

FCTR Contents

FCTR 7 Review of financial crime controls in offshore centres (2008)


FCTR 8 Financial services firms’ approach to UK financial sanctions (2009)


FCTR 9 Anti-bribery and corruption in commercial insurance broking(2010)


FCTR 10 The Small Firms Financial Crime Review (2010)


FCTR 11 Mortgage fraud against lenders (2011)


FCTR 12 Banks’ management of high money-laundering risk situations(2011)


FCTR 13 Anti-bribery and corruption systems and controls in investmentbanks (2012)


■ Release 53 ● Aug 2020 www.handbook.fca.org.uk FCTR–ii

FCTR Contents

FCTR 14 Banks’ defences against investment fraud (2012)


FCTR 15 Banks’ control of financial crime risks in trade finance (2013)

15.1 Introduction15.2 The FCA’s findings15.3 15.3Consolidated examples of good and poor practice

FCTR 16 How small banks manage money laundering and sanctions risk –update (2014)

16.1 Introduction16.2 The FCA findings16.3 Themes

FCTR 17 Managing bribery and corruption risk in commercial insurancebroking – update (2014)

17.1 Introduction17.2 The FCA findings17.3 Themes

■ Release 53 ● Aug 2020www.handbook.fca.org.ukFCTR–iii


Chapter 1

Introduction

■ Release 53 ● Aug 2020 www.handbook.fca.org.uk FCTR 1/1

FCTR 1 : Introduction Section 1.1 : What is the FCTR?

1

1.1.1

1.1.2

1.1.3

1.1.4

■ Release 53 ● Aug 2020www.handbook.fca.org.ukFCTR 1/2

1.1 What is the FCTR?

FCTR contains summaries of, and links to, thematic reviews of variousfinancial crime risks. It includes the consolidated examples of good and poorpractice that were included with the reviews’ findings. Each chapter includesa statement about those to whom it is most relevant and, where good andpoor practice is included, to whom that guidance applies. We have suggestedwhere material may be of interest and use to a broader range of firms, butwe will only take guidance as applying to those types of firms to whom wehave directly applied it. Each chapter also includes cross references torelevant chapters in FCG.

The statements of our expectations and the examples of good and poorpractice in the body of FCTR have the same status as in FCG: they are“general guidance” as defined by section 158 of the Financial Services andMarkets Act 2000. The guidance in FCTR is not binding and imposes norequirements on firms. Please refer to ■ FCG 1 for more information aboutguidance in FCG and FCTR.

As with FCG, FCTR contains guidance on Handbook rules and principles,particularly:

•■ SYSC 3.2.6R and ■ SYSC 6.1.1R, which require firms to establish andmaintain effective systems and controls to counter the risk that theymight be used to further financial crime;

•Principles 1 (integrity), 2 (skill, care and diligence), 3 (managementand control) and 11 (relations with regulators) of our Principles forBusinesses, which are set out in ■ PRIN 2.1.1R;

•the Statements of Principle for Approved Persons set out in■ APER 2.1A.3R and the conduct rules set out in ■ COCON 2.1 and ■ 2.2;and

•in relation to guidance on money laundering, the rules in■ SYSC 3.2.6AR to ■ SYSC 3.2.6JG and ■ SYSC 6.3 (Financial crime)

Not all thematic reviews contain consolidated examples of good and poorpractice. All reports do, however, discuss what the FCA/FSA found about thepractices in place at the firms it visited. This information is not guidance, butfirms interested in comparing themselves against their peers’ systems andcontrols and policies and procedures in the areas covered by the reviews can


1


find more information on this in the original reports. Firms should considerwhether information in historic thematic reviews in FCTR relating to theMoney Laundering Regulations 2007 remain relevant for the MoneyLaundering Regulations.


1



Chapter 2

Firms’ high-level managementof fraud risk (2006)


FCTR 2 : Firms’ high-level Section 2.1 : Introductionmanagement of fraud risk(2006)

2

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5


2.1 Introduction

Who should read this chapter? This chapter is relevant to all firms subject tothe financial crime rules in ■ SYSC 3.2.6R and ■ SYSC 6.1.1R and to e-moneyinstitutions and payment institutions within our supervisory scope.

In February 2006 the FSA reviewed a sample of 16 firms (predominantlylarger financial services groups) to assess how firms’ senior managementwere managing fraud risk.

The findings of the review reflected our overall expectation that firms’ seniormanagement should be proactive in taking responsibility for identifying andassessing fraud risk and the adequacy of existing controls, and ensure that, ifnecessary, appropriate additional controls are put in place. We expect a firmto consider the full implications of the fraud risks it faces, which may havewider effects on its reputation, its customers and the markets in which itoperates.

The report emphasised that fraud is more than just a financial crime issue forfirms; it is also a reputational one for the industry as a whole. The reportconcluded that while there had been some improvement in the managementof fraud there was still more that firms could be doing to ensure fraud riskwas managed effectively.

The contents of this report are reflected in ■ FCG 2 (Financial crime systemsand controls) and ■ FCG 4 (Fraud).

FCTR 2 : Firms’ high-level Section 2.2 : The FSA’s findingsmanagement of fraud risk(2006)

2

2.2.1


2.2 The FSA’s findings

You can read the findings of the FSA’s thematic review here: http://www.fsa.gov.uk/pubs/other/fraud_risk.pdf

http://www.fsa.gov.uk/pubs/other/fraud_risk.pdf

http://www.fsa.gov.uk/pubs/other/fraud_risk.pdf

FCTR 2 : Firms’ high-level Section 2.3 : Consolidated examples of goodmanagement of fraud risk and poor practice(2006)

2

2.3.1


2.3 Consolidated examples of good andpoor practice

This report did not contain consolidated examples of good and poorpractice.


Chapter 3

Review of private banks’ anti-money laundering systems and

controls (2007)


FCTR 3 : Review of private Section 3.1 : Introductionbanks’ anti-money launderingsystems and controls (2007)

3

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6


3.1 Introduction

Who should read this chapter? This chapter is relevant to private banks(firms which provide banking and investment services in a closely managedrelationship to high net-worth clients) and other firms conducting businesswith customers, such as PEPs, who might pose a higher risk of moneylaundering. It may also be of interest to other firms we supervise under theMoney Laundering Regulations.

In July 2007 the FSA undertook a review of the anti-money laundering (AML)systems and controls at several FSA-regulated private banks. The review wasconducted in response to a report by the FSA’s Intelligence team, which hadhighlighted the high risk of money laundering within private banking.

This sector is particularly susceptible to money laundering and firms areexpected to have high-standard AML systems and controls in place in orderto mitigate these risks. The review focused on firms’ policies and proceduresfor identifying, assessing, monitoring and managing the risks with a strongfocus on high-risk clients and Politically Exposed Persons (PEPs).

The key areas examined in depth were a consideration of seniormanagements’ risk appetite and the level of customer due diligence thattook place.

Overall the FSA found that the private banks covered by our reviewacknowledged the relatively high risk of money laundering within theirbusiness activities and recognised the need to develop and implement strongAML systems and controls. The report also emphasised that private banksshould obtain and keep up-to-date information on clients.

The contents of this report are reflected in ■ FCG 2 (Financial crime systemsand controls) and ■ FCG 3 (Money laundering and terrorist financing).

FCTR 3 : Review of private Section 3.2 : The FSA’s findingsbanks’ anti-money launderingsystems and controls (2007)

3

3.2.1



You can read the findings of the FSA’s thematic review here: https://www.fca.org.uk/publication/archive/fsa-systems-review.pdf

https://www.fca.org.uk/publication/archive/fsa-systems-review.pdf

https://www.fca.org.uk/publication/archive/fsa-systems-review.pdf

FCTR 3 : Review of private Section 3.3 : Consolidated examples of goodbanks’ anti-money laundering and poor practicesystems and controls (2007)

3

3.3.1





Chapter 4

Automated Anti-MoneyLaundering Transaction

Monitoring Systems (2007)


FCTR 4 : Automated Anti-Money Section 4.1 : IntroductionLaundering TransactionMonitoring Systems (2007)

4

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6


4.1 Introduction

Who should read this chapter? This chapter is relevant, and its statements ofgood and poor practice apply, to all firms for whom we are the supervisoryauthority under the Money Laundering Regulations.

The extent to which we expect a firm to use automated anti-moneylaundering transaction monitoring (AML TM) systems depends onconsiderations such as the nature and scale of its business activities. Theremay be firms, particularly, smaller firms, that monitor credibly and effectivelyusing manual procedures. This chapter will not apply to such firms wherethey do not, and are not intending to, use AML TM systems, although it maystill be of interest to them.

The FSA wrote a short report on automated Anti-Money LaunderingTransaction Monitoring Systems in July 2007. This was in anticipation of thefact that transaction monitoring would become compulsory following theimplementation of the Money Laundering Regulations 2007.

The report explains that the FSA did not anticipate that there would bemajor changes in firms’ practice, as the new framework expressed in lawwhat firms were already doing. Instead, it is to be read as feedback on goodpractice to assist firms in complying with the Money Laundering Regulations2007.

The report confirms our expectation that senior management should be in aposition to monitor the performance of transaction monitoring (TM) systems,particularly at firms that experience operational or performance issues withtheir systems, to ensure issues are resolved in a timely fashion. Particularexamples of good practice include transaction monitoring and profiling;especially ensuring unusual patterns of customer activity are identified.


FCTR 4 : Automated Anti-Money Section 4.2 : The FSA’s findingsLaundering TransactionMonitoring Systems (2007)

4

4.2.1



You can read the findings of the FSA’s thematic review here: http://www.fsa.gov.uk/pubs/other/money_laundering/aml_system.pdf

http://www.fsa.gov.uk/pubs/other/money_laundering/aml_system.pdf

http://www.fsa.gov.uk/pubs/other/money_laundering/aml_system.pdf

FCTR 4 : Automated Anti-Money Section 4.3 : Consolidated examples of goodLaundering Transaction and poor practiceMonitoring Systems (2007)

4

4.3.1

4.3.2



This report contained the following Examples of good practice:

Statement of good practice

•Depending on the nature and scale of a firm’s business activities,automated AML TM systems may be an important component of aneffective overall AML control environment.

Methodologies

•TM systems use profiling and/or rules-based monitoring methods.

•Profiling identifies unusual patterns of customer activity by applyingstatistical modelling techniques. These compare current patterns ofactivity to historical activity for that customer or peer group.

•Rules-based monitoring compares customer activity to fixed pre-setthresholds or patterns to determine if it is unusual.

Development and implementation

•A clear understanding of what the system will deliver and whatconstraints will be imposed by the limitations of the available data(including any issues arising from data cleanliness or legacy systems).

•Consideration of whether the vendor has the skills, resources andability to deliver the promised service and provide adequate ongoingsupport.

•Maintenance of good working relations with the vendor, e.g. whencollaborating to agree detailed system configuration.

•Use of recommended hardware, not necessarily a firm’s ownstandard, to reduce processing problems, or otherwise finding asolution that is a good fit with a firm’s existing infrastructure.

•A full understanding of the data being entered into the system andof the business’s requirements.

•Regular housekeeping and database maintenance (operationalresilience is vital to ensure that queries do not back up).


4


•Careful consideration of the risks of commissioning a bespokevendor system, which may be incompatible with future standardproduct upgrades.

•Continued allocation of sufficient resources to ensure manualinternal suspicion reporting is effective, as TM can supplement, butnot replace, human awareness in day-to-day business.

Effectiveness

•Analyse system performance at a sufficiently detailed level, forexample on a rule-by-rule basis, to understand the real underlyingdrivers of the performance results.

•Set systems so they do not generate fewer alerts simply to improveperformance statistics. There is a risk of ‘artificially’ increasing theproportion of alerts that are ultimately reported as suspicious activityreports without generating an improvement in the quality andquantity of the alerts being generated.

•Deploy analytical tools to identify suspicious activity that is currentlynot being flagged by existing rules or profile-based monitoring.

•Allocate adequate resources to analysing and assessing systemperformance, in particular to define how success is measured andproduce robust objective data to analyse performance against thesemeasures.

•Consistently monitor from one period to another, rather than on anintermittent basis, to ensure that performance data is not distortedby, for example, ad hoc decisions to run particular rules at differenttimes.

•Measure performance as far as possible against like-for-likecomparators, e.g. peers operating in similar markets and using similarprofiling and rules.

Oversight

•Senior management should be in a position to monitor theperformance of TM systems, particularly at firms that areexperiencing operational or performance issues with their systems, sothat issues are resolved in a timely fashion.

•Close involvement of the project management process by majorbusiness unit stakeholders and IT departments is an importantcomponent of successful system implementation.

Reporting & review

•There should be a clear allocation of responsibilities for reviewing,investigating and reporting details of alerts generated by TMsystems. Those responsible for this work should have appropriatelevels of skill and be subject to effective operational control andquality assurance processes.


4



Chapter 5

Review of firms’implementation of a risk-based

approach to anti-moneylaundering (AML) (2008)


FCTR 5 : Review of firms’ Section 5.1 : Introductionimplementation of a risk-basedapproach to anti-money…

5 5.1.1

5.1.2

5.1.3

5.1.4

5.1.5


5.1 Introduction

Who should read this chapter? This chapter is relevant, and its statements ofgood and poor practice apply, to all firms for whom we are the supervisoryauthority under the Money Laundering Regulations.

In March 2008 the FSA conducted a review of firms’ implementation of arisk-based approach to anti-money laundering. This followed the move to amore principles-based regulatory strategy from August 2006, when wereplaced the detailed rules contained in the Money Laundering sourcebookwith high-level rules in the Senior Management Arrangements, Systems andControls sourcebook (SYSC) of the Handbook.

The FSA visited 43 firms in total and gathered additional information fromapproximately 90 small firms with a survey. The report explored in depth anumber of key areas that required improvement, including a review of stafftraining and the need to ensure staff are aware that it is a constantrequirement to ensure AML policies and procedures are up to date andeffective.

Due to the wide range of firms the FSA visited, there were a number ofdifferent findings. There were many examples of good practice, particularlyin the way the larger firms had fully embraced the risk- based approach toAML and senior management’s accountability for effective AML. The FSA alsorecognised that smaller firms, which generally represent lower risk, hadfewer resources to devote to money laundering risk assessment andmitigation.


FCTR 5 : Review of firms’ Section 5.2 : The FSA’s findingsimplementation of a risk-basedapproach to anti-money…

55.2.1



You can read the findings of the FSA’s thematic review here: http://www.fsa.gov.uk/pubs/other/jmlsg_guidance.pdf

http://www.fsa.gov.uk/pubs/other/jmlsg_guidance.pdf

http://www.fsa.gov.uk/pubs/other/jmlsg_guidance.pdf

FCTR 5 : Review of firms’ Section 5.3 : Consolidated examples of goodimplementation of a risk-based and poor practiceapproach to anti-money…

55.3.1



Firms’ implementation of a risk-based approach to AML

Examples of good practice Examples of poor practice

• One large firm’s procedures • Some firms did not have arequired it to undertake peri- robust approach to classify-odic Know Your Customer ing the money laundering(KYC)/Customer Due Dili- risk associated with their cli-gence (CDD) reviews of ex- ents. For example, oneisting clients. The depth of wholesale small firm classi-the review is determined by fied all its clients as low orthe risk ranking assigned to medium risk, despite thethe client. Clients rated A fact that most of them wereand B are reviewed every based in Eastern Europe,three years; Cs every two ye- North Africa and the Middlears; and Ds and Es are re- East. Another firm’s risk-as-viewed annually. For lower sessment procedures pro-risk (A-C) clients, the review vided that the Compliancemay amount to no more Officer or MLRO (Moneythan refreshing the client’s Laundering Reporting Of-file to take account of: signi- ficer. See FCG Annex 1 forficant changes in ownership common terms) would deter-or capitalisation; changes in mine the risk category forthe client’s line of business; each client and would re-addition of a Politically Ex- cord the basis of the assess-posed Person (PEP) to share- ment for each client. How-holders or senior manage- ever, a file review showedment; or any negative news no evidence that risk assess-on the client’s owners or ments had actually been car-senior managers. For high ried out.risk (D or E) clients, visits tothe client are necessary toprovide an extra layer ofcomfort. Such visits wouldtypically cover: review of cli-ent’s client take-on proced-ures; sample testing of KYCdocumentation on underly-ing clients; and, obtaininganswers to outstanding quer-ies on, e.g., annual AML cer-tification, transaction quer-ies, and potential PEP orsanctions hits.

• One building society under- • Some small firms had pro-took a comprehensive policy duced inadequate annualreview following the publica- MLRO reports, which failedtion of the 2006 JMLSG to demonstrate to their gov-


5


(Joint Money Laundering Ste- erning body and senior man-ering Group. See FCG Annex 1 agement that the firms’for common terms) guid- AML systems and controlsance, in order to identify were operating effectively.which parts of the business In one case, the MLROwere affected and what ac- stated categorically thattion was needed. It identi- there had been no perceivedfied eight core business deficiencies in the suspiciousareas, which represented the activity reporting process.key operational areas ex- However, he was unableposed to risk from money even to describe that pro-laundering. These business cess to us, so it was highlyareas were ranked in order unlikely that he had ever re-of risk and formed into work- viewed the SAR (Suspiciousstreams. The local managers Activity Report. See FCG An-from each workstream busi- nex 1 for common terms) pro-ness area were then trained cess for possible deficiencies.by the Compliance PolicyTeam, using a series of pre-sentations and individualworkshops, to understandthe impact of the risk-basedapproach, their individual re-sponsibilities and the appro-priate customer due dili-gence policies. These man-agers were then required toapply this awareness andtheir existing knowledge oftheir workstreams’ businessactivities to create docu-mented risk profiles coveringcustomers, products, deliverychannels and geography.The risk profiles weregraded as Red, Amber andGreen and customer due dili-gence and monitoring re-quirements set at appropri-ate levels.

• In response to the SYSC • In one small firm, the MLROchanges, one major bank de- was clearly not fully en-cided to appoint the MLRO’s gaged in his role. For ex-line manager as the desig- ample, he was unaware thatnated director with over- we had removed the Moneyarching responsibility for Laundering sourcebook andAML controls. This director he was still using an out-was seen as the obvious cho- dated (2003) edition of theice for the role, given that JMLSG Guidance. It was nothis portfolio of responsibilit- entirely clear whether thisies included fraud, risk and arose from a lack of interestmoney laundering. The in his MLRO function orbank’s decision formally to from inadequate complianceappoint a Board-level senior resources at the firm, whichmanager to this position was left him with insufficientviewed as reinforcing the im- time to keep up to dateportance of having in place with AML matters, or a com-a robust AML control frame- bination of both.work. Following his appoint-ment, the director decidedthat the management in-formation (MI) on AML


5


issues he had hitherto re-ceived was too ad hoc andfragmented. So the SYSC/JMLSG changes proved to bea catalyst for the bank estab-lishing more organised MIand a Group-level FinancialRisk Committee to considerrelevant issues. (In the past,various Risk Committees hadconsidered such issues.) Thenew Committee’s remit co-vered fraud, money laun-dering and sanctions issues;however, its primary focuswas AML.

• One large bank judged that • We found some cases of me-staff AML training and dium-sized and smaller firmsawareness were suitable for documenting their clientthe development of a risk- take-on procedures but notbased approach. It saw a regularly updating those pro-need to differentiate be- cedures and not always fol-tween AML requirements in lowing them. For example,various business units, so one firm told us that CDD in-that training could be ad- formation on clients was re-apted to the needs of the freshed every time clients ap-job. So in Retail, training plied for a new product orhad been re-designed to pro- service. However, a file re-duce a more balanced pack- view showed no evidenceage. Accordingly, staff were that this had been done.required to undertake onetraining module per quarter,with the emphasis on a dif-ferent area in each moduleand a test taken every quar-ter. The aim was to see whatimpact this constant ‘dripfeed’ of training had on sus-picious activity reporting. Atthe time of the FSA’s visit,this bank was also in thethroes of merging its anti-fraud and AML training. Theoverall objective was tomake it more difficult forcriminals to do business withthe bank undetected.

• A number of medium-sizedand small firms were un-aware that it was illegal forthem to deal with indi-viduals or entities named onthe Treasury’s Financial Sanc-tions list. As a result, noscreening of clients or trans-actions was being under-taken against that list.

• One firm said that it did notroutinely check the FinancialSanctions list, because it didnot deal with the type of cli-


5


ent who might appear onthe list.

• Some medium-sized andsmall firms admitted thatstaff AML training was anarea where improvementwas needed. One firm toldus that training was de-livered as part of an induc-tion programme but not re-freshed at regular intervalsthroughout the employee’scareer. Another firm saidthat it provided AML induc-tion training only if a newjoiner specifically requestedit and no new employee hadactually made such a re-quest. The firm’s MLRO tookthe view that most new em-ployees came from the regu-lated sector, so should al-ready be aware of their AMLobligations. Such employeeswere merely required tosign a form to confirm thatthey were aware of thefirm’s AML procedures, buttheir understanding wasnever tested.


5



Chapter 6

Data security in FinancialServices (2008)


FCTR 6 : Data security in Section 6.1 : IntroductionFinancial Services (2008)

6

6.1.1

6.1.2

6.1.3

6.1.4

6.1.5


6.1 Introduction

Who should read this chapter? This chapter is relevant, and its statements ofgood and poor practice apply, to all firms subject to the financial crime rulesin ■ SYSC 3.2.6R or ■ SYSC 6.1.1R and to e-money institutions and paymentinstitutions within our supervisory scope.

In April 2008 the FSA published the findings of our thematic review on howfinancial services firms in the UK were addressing the risk that customer datamay be lost or stolen and used to commit fraud or other financial crime. TheFSA visited 39 firms, including retail and wholesale banks, investment firms,insurance companies, financial advisers and credit unions. The FSA also tookinto account our experience of data loss incidents dealt with by our FinancialCrime Operations Team: during 2007, the team dealt with 56 cases of lost orstolen data from financial services firms.

The FSA found a wide variation between good practices demonstrated byfirms that were committed to ensuring data security and weakness in firmsthat were not taking adequate steps. Overall, the FSA found that datasecurity in financial services firms needed to be improved significantly.

The report concluded that poor data security was a serious, widespread andhigh-impact risk, and that firms were often failing to consider the wider risksof identity fraud which could occur from cases of significant data loss andthe impact of this on consumers. The FSA found that firms lacked a clearunderstanding of these risks and were therefore failing properly to informcustomers, resulting in a lack of transparency.

The contents of this report are reflected in ■ FCG 2 (Financial crime systemsand controls) and ■ FCG 5 (Data security).

FCTR 6 : Data security in Section 6.2 : The FSA’s findingsFinancial Services (2008)

6

6.2.1



You can read the findings of the FSA’s thematic review here: http://www.fsa.gov.uk/pubs/other/data_security.pdf

http://www.fsa.gov.uk/pubs/other/data_security.pdf


FCTR 6 : Data security in Section 6.3 : Consolidated examples of goodFinancial Services (2008) and poor practice

66.3.1



Governance


• Identification of data secur- • Treating data security as anity as a key specific risk, sub- IT issue and failing to involveject to its own governance, other key staff from acrosspolicies and procedures and the business in the risk assess-risk assessment. ment process.

• A senior manager with over- • No written policies and pro-all responsibility for data se- cedures on data security.curity, specifically mandatedto manage data security riskassessment and communica-tion between the key stake-holders within the firm suchas: senior management, in-formation security, HumanResources, financial crime, se-curity, IT, compliance and in-ternal audit.

• A specific committee with • Firms do not understand therepresentation from relevant need for knowledge-sharingbusiness areas to assess, mon- on data security.itor and control data securityrisk, which reports to thefirm’s Board. As well as ensur-ing coordinated risk manage-ment, this structure sends aclear message to all staffabout the importance ofdata security.

• Written data security policies • Failing to take opportunitiesand procedures that are pro- to share information with,portionate, accurate and rel- and learn from, peers andevant to staff’s day-to-day others about data securitywork. risk and not recognising the

need to do so.

• An open and honest culture • A ‘blame culture’ that dis-of communication with pre- courages staff from re-determined reporting mech- porting data security con-anisms that make it easy for cerns and data losses.all staff and third parties toreport data security concernsand data loss without fear ofblame or recrimination.


6

6.3.2


• Firms seeking external assist- • Failure to notify customers af-ance if they feel they do not fected by data loss in casehave the necessary expertise the details are picked up byto complete a data security the mediarisk assessment themselves.

• Firms liaising with peers andothers to increase theirawareness of data securityrisk and the implementationof good systems andcontrols.

• Detailed plans for reactingto a data loss includingwhen and how to communic-ate with affected customers.

• Firms writing to affected cus-tomers promptly after a dataloss, telling them what hasbeen lost and how it waslost.

• Firms offering advice on pro-tective measures againstidentity fraud to consumersaffected by data loss and,where appropriate, payingfor such services to be put inplace.

Training and awareness


• Innovative training and • No training to communicateawareness campaigns that policies and procedures.focus on the financial crimerisks arising from poor datasecurity, as well as the legaland regulatory requirementsto protect customer data.

• Clear understanding among • Managers assuming that em-staff about why data secur- ployees understand data se-ity is relevant to their work curity risk without anyand what they must do to training.comply with relevant policiesand procedures.

• Simple, memorable and eas- • Data security policies whichily digestible guidance for are very lengthy, complic-staff on good data security ated and difficult to read.practice.

• Testing of staff understand- • Reliance on staff signing aning of data security policies annual declaration statingon induction and once a that they have read policyyear after that. documents without any fur-

ther testing.

• Competitions, posters, • Staff being given no incent-screensavers and group dis- ive to learn about datacussion to raise interest in security.the subject.


6

6.3.3

6.3.4


Staff recruitment and vetting


• Vetting staff on a risk-based • Allowing new recruits to ac-approach, taking into access customer data beforecount data security and vetting has been completed.other fraud risk.

• Enhanced vetting – includ- • Temporary staff receivinging checks of credit records, less rigorous vetting thancriminal records, financial permanently employed col-sanctions lists and the CIFAS leagues carrying out similarStaff Fraud Database – for roles.staff in roles with access tolarge amounts of customerdata.

• Liaison between HR and Fin- • Failing to consider continu-ancial Crime to ensure that ally whether staff in higher-financial crime risk indic- risk positions are becomingators are considered during vulnerable to committingthe vetting process. fraud or being coerced by

criminals.

• A good understanding ofvetting conducted by em-ployment agencies for tem-porary and contract staff.

• Formalised procedures to as-sess regularly whether staffin higher-risk positions arebecoming vulnerable tocommitting fraud or beingcoerced by criminals.

Controls – Access rights


• Specific IT access profiles • Staff having access to cus-for each role in the firm, tomer data that they do notwhich set out exactly what require to do their job.level of IT access is requiredfor an individual to dotheir job.

• If a staff member changes • User access rights set up onroles or responsibilities, all a case-by-case basis with noIT access rights are deleted independent check thatfrom the system and the they are appropriate.user is set up using thesame process as if theywere a new joiner at thefirm. The complexity of thisprocess is significantly re-duced if role-based IT ac-cess profiles are in place –the old one can simply bereplaced with the new.

• A clearly-defined process to • Failing to consider continu-notify IT of forthcoming ally whether staff in higher-staff departures in order risk positions are becomingthat IT accesses can be per- vulnerable to committing


6

6.3.5


manently disabled or de- fraud or being coerced byleted on a timely and accur- criminals.ate basis.

• Regular reviews of staff IT • User accounts being leftaccess rights to ensure that ‘live’ or only suspended (i.e.there are no anomalies. not permanently disabled)

when a staff memberleaves.

• Least privilege’ access to • A lack of independent checkcall recordings and copies of changes effected at anyof scanned documents ob- stage in the joiners, moverstained for ‘know your cus- and leavers process.tomer’ purposes.

• Authentication of cus-tomers’ identities using, forexample, touch-tone tele-phone before a conversa-tion with a call centre ad-viser takes place. This limitsthe amount of personal in-formation and/or pass-words contained in call re-cordings.

• Masking credit card, bankaccount details and othersensitive data like customerpasswords where thiswould not affect em-ployees’ ability to do theirjob.

Controls – passwords and user accounts


• Individual user accounts – • The same user account andrequiring passwords – in password used by multipleplace for all systems con- users to access particulartaining customer data. systems.

• Password standards at least • Names and dictionary wordsequivalent to those recom- used as passwords.mended by Get Safe On-line – a government-backedcampaign group. In July2011, their recommendedstandard for passwords wasa combination of letters,numbers and keyboard sym-bols at least eight charac-ters in length and changedregularly.

• Measures to ensure pass- • Systems that allow pass-words are robust. These words to be set which domight include controls to not comply with passwordensure that passwords can policy.only be set in accordancewith policy and the use ofpassword-cracking softwareon a risk-based approach.


6

6.3.6

6.3.7


• ‘Straight-through pro- • Individuals share passwords.cessing’, but only ifcomplemented by accuraterole-based access profilesand strong passwords.

Controls – monitoring access to customer data


• Risk-based, proactive mon- • Assuming that vetted staffitoring of staff’s access to with appropriate accesscustomer data to ensure it rights will always act appro-is being accessed and/or up- priately. Staff can breachdated for a genuine busi- procedures, for example byness reason. looking at account informa-

tion relating to celebrities,be tempted to commitfraud themselves or bebribed or threatened togive customer data tocriminals.

• The use of software de- • Names and dictionarysigned to spot suspicious ac- words used as passwords.tivity by employees with ac-cess to customer data. Suchsoftware may not be usefulin its ‘off- the-shelf’ formatso it is good practice forfirms to ensure that it istailored to their businessprofile.

• Strict controls over su- • Failing to monitor su-perusers’ access to cus- perusers or other em-tomer data and independ- ployees with access to largeent checks of their work to amounts of customer data.ensure they have not ac-cessed, manipulated or ex-tracted data that was notrequired for a particulartask.

Controls – data back-up


• Firms conducting a proper • Firms failing to considerrisk assessment of threats data security risk arisingto data security arising from the backing up of cus-from the data back-up pro- tomer data.cess – from the point thatback-up tapes are pro-duced, through the transitprocess to the ultimateplace of storage.

• Firms encrypting backed- • A lack of clear and consist-up data that is held off- ent procedures for backing


6

6.3.8


site, including while in up data, resulting in datatransit. being backed up in several

different ways at differenttimes. This makes it diffi-cult for firms to keep trackof copies of their data.

• Regular reviews of the • Unrestricted access to back-level of encryption to en- up tapes for large numberssure it remains appropriate of staff at third party firms.to the current risk en-vironment.

• Back-up data being trans- • Back-up tapes being heldferred by secure Internet insecurely by firm’s em-links. ployees; for example, being

left in their cars or at homeon the kitchen table.

• Due diligence on third par-ties that handle backed-upcustomer data so the firmhas a good understandingof how it is secured, ex-actly who has access to itand how staff with accessto it are vetted.

• Staff with responsibility forholding backed-up dataoff-site being given assist-ance to do so securely. Forexample, firms could offerto pay for a safe to be in-stalled at the staff mem-ber’s home.

• Firms conducting spotchecks to ensure that dataheld off-site is held in ac-cordance with acceptedpolicies and procedures.

Controls – access to the internet and email


• Giving internet and email • Allowing staff who handleaccess only to staff with a customer data to have ac-genuine business need. cess to the internet and em-

ail if there is no businessreason for this.

• Considering the risk of • Allowing access to web-data compromise when based communication Inter-monitoring external email net sites. This content in-traffic, for example by cludes web-based email,looking for strings of num- messaging facilities on so-


6

6.3.9

6.3.10


bers that might be credit cial networking sites, ex-card details. ternal instant messaging

and ‘peer-to- peer’ file-sharing software.

• Where proportionate, us-ing specialist IT softwareto detect data leakage viaemail.

• Completely blocking accessto all internet contentwhich allows web-basedcommunication. This con-tent includes web-basedemail, messaging facilitieson social networking sites,external instant messagingand ‘peer-to-peer’ file-shar-ing software.

• Firms that provide cyber-cafes for staff to use dur-ing breaks ensuring thatweb-based communica-tions are blocked or thatdata cannot be transferredinto the cyber-cafe, eitherin electronic or paperformat.

Controls – key-logging devices

Examples of good practice

• Regular sweeping for key-logging devices in parts ofthe firm where employeeshave access to largeamounts of, or sensitive,customer data. (Firms willalso wish to conductsweeps in other sensitiveareas. For example, wheremoney can be transferred.)

• Use of software to deter-mine whether unusual orprohibited types of hard-ware have been attachedto employees’ computers.

• Raising awareness of therisk of key-logging devices.The vigilance of staff is auseful method of defence.

• Anti-spyware software andfirewalls etc in place andkept up to date.

Controls – laptop



6

6.3.11


• The encryption of laptops • Unencrypted customerand other portable devices data on laptops.containing customer data.

• Controls that mitigate the • A poor understanding ofrisk of employees failing which employees haveto follow policies and pro- been issued or are usingcedures. The FSA has dealt laptops to hold customerwith several cases of lost data.or stolen laptops thatarose from firms’ staff notdoing what they should.

• Maintaining an accurate • Shared laptops used byregister of laptops issued staff without being signedto staff. out or wiped between

uses.

• Regular audits of the con-tents of laptops to ensurethat only staff who are au-thorised to hold customerdata on their laptops aredoing so and that this isfor genuine businessreasons.

• The wiping of shared lap-tops’ hard drives betweenuses.

Controls – portable media including USB devices and CDs


• Ensuring that only staff • Allowing staff with accesswith a genuine business to bulk customer data –need can download cus- for example, superusers –tomer data to portable to download to un-media such as USB devices encrypted portable media.and CDs.

• Ensuring that staff au- • Failing to review regularlythorised to hold customer threats posed by increas-data on portable media ingly sophisticated andcan only do so if it is quickly evolving personalencrypted. technology such as mobile

phones.

• Maintaining an accurateregister of staff allowedto use USB devices andstaff who have beenissued USB devices.

• The use of software to pre-vent and/or detect indi-viduals using personal USBdevices.

• Firms reviewing regularlyand on a risk-based ap-proach the copying of cus-tomer data to portablemedia to ensure there is a


6 6.3.12


genuine business reasonfor it.

• The automatic encryptionof portable media at-tached to firms’computers.

• Providing lockers forhigher-risk staff such ascall centre staff and su-perusers and restrictingthem from taking per-sonal effects to theirdesks.

Controls – Physical security


• Appropriately restricted • Allowing staff or other per-access to areas where sons with no genuine busi-large amounts of cus- ness need to access areastomer data are accessible, where customer data issuch as server rooms, call held.centres and filing areas.

• Using robust intruder de- • Failure to check electronicterrents such as keypad records showing who hasentry doors, alarm sys- accessed sensitive areas oftems, grilles or barred win- the office.dows, and closed circuittelevision (CCTV).

• Robust procedures for log- • Failure to lock away cus-ging visitors and ensuring tomer records and filesadequate supervision of when the office is left un-them while on-site. attended.

• Training and awarenessprogrammes for staff toensure they are fullyaware of more basic risksto customer data arisingfrom poor physicalsecurity.

• Employing security gu-ards, cleaners etc directlyto ensure an appropriatelevel of vetting and re-duce risks that can arisethrough third party sup-


66.3.13


pliers accessing customerdata.

• Using electronic swipecard records to spot un-usual behaviour or accessto high risk areas.

• Keeping filing cabinetslocked during the day andleaving the key with atrusted member of staff.

• An enforced clear-deskpolicy.

Controls – Disposal of customer data


• Procedures that result in • Poor awareness amongthe production of as little staff about how to disposepaper-based customer of customer data securely.data as possible.

• Treating all paper as ‘con- • Slack procedures that pre-fidential waste’ to elimin- sent opportunities forate confusion among em- fraudsters, for instanceployees about which type when confidential waste isof bin to use. left unguarded on the pre-

mises before it isdestroyed.

• All customer data dis- • Staff working remotelyposed of by employees se- failing to dispose of cus-curely, for example by us- tomer data securely.ing shredders (preferablycross-cut rather thanstraight-line shredders) orconfidential waste bins.

• Checking general waste • Firms failing to providebins for the accidental dis- guidance or assistance toposal of customer data. remote workers who need

to dispose of an obsoletehome computer.

• Using a third party sup- • Firms stockpiling obsoleteplier, preferably one with computers and other port-BSIA (British Security In- able media for too longdustry Association) accred- and in insecure en-itation, which provides a vironments.certificate of secure de-struction, to shred or in-cinerate paper-based cus-tomer data. It is import-ant for firms to have agood understanding ofthe supplier’s process fordestroying customer dataand their employee vet-ting standards.

• Providing guidance for • Firms relying on others totravelling or home-based erase or destroy their hard


6

6.3.14

6.3.15


staff on the secure dis- drives and other portableposal of customer data. media securely without

evidence that this hasbeen done competently.

• Computer hard drives andportable media beingproperly wiped (using spe-cialist software) or de-stroyed as soon as they be-come obsolete.

Managing third-party suppliers


• Conducting due diligence • Allowing third-party sup-of data security standards pliers to access customerat third-party suppliers be- data when no due dili-fore contracts are agreed. gence of data security ar-

rangements has beenperformed.

• Regular reviews of third- • Firms not knowing exactlyparty suppliers’ data secur- which third-party staffity systems and controls, have access to their cus-with the frequency of re- tomer data.view dependent on datasecurity risks identified.

• Ensuring third-party sup- • Firms not knowing howpliers’ vetting standards third-party suppliers’ staffare adequate by testing have been vetted.the checks performed ona sample of staff with ac-cess to customer data.

• Only allowing third-party • Allowing third-party staffIT suppliers access to cus- unsupervised access totomer databases for spe- areas where customercific tasks on a case- by- data is held when theycase basis. have not been vetted to

the same standards asemployees.

• Third-party suppliers be- • Allowing IT suppliers un-ing subject to procedures restricted or unmonitoredfor reporting data secur- access to customer data.ity breaches within anagreed timeframe.

• The use of secure internet • A lack of awareness oflinks to transfer data to when/how third-party sup-third parties. pliers can access customer

data and failure to mon-itor such access.

• Unencrypted customerdata being sent to thirdparties using unregisteredpost.

Internal audit and compliance monitoring



6


• Firms seeking external as- • Compliance focusing onlysistance where they do on compliance with datanot have the necessary in- protection legislation andhouse expertise or failing to consider adher-resources. ence to data security pol-

icies and procedures.

• Compliance and internal • Compliance consultants ad-audit conducting specific opting a ‘one size fits all’reviews of data security approach to different cli-which cover all relevant ents’ businesses.areas of the business in-cluding IT, security, HR,training and awareness,governance and third-party suppliers.

• Firms using expertise fromacross the business tohelp with the more tech-nical aspects of data secur-ity audits and compliancemonitoring.


6



Chapter 7

Review of financial crimecontrols in offshore centres

(2008)


FCTR 7 : Review of financial Section 7.1 : Introductioncrime controls in offshorecentres (2008)

7

7.1.1

7.1.2

7.1.3

7.1.4

7.1.5


7.1 Introduction

Who should read this chapter? This chapter is relevant to:

•all firms subject to the financial crime rules in ■ SYSC 3.2.6R or■ SYSC 6.1.1R; and

•e-money institutions and payment institutions within oursupervisory scope who have or are considering establishingoperations in offshore centres.

In the second half of 2008 the FSA reviewed how financial services firms inthe UK were addressing financial crime risks in functions they had moved tooffshore centres. The review followed on from the FSA’s report into datasecurity in financial services (April 2008 – http://www.fsa.gov.uk/pubs/other/data_security.pdf).

The main financial crime risks the FSA reviewed were: customer data beinglost or stolen and used to facilitate fraud; money laundering; and fraud. Thereview found that, while there were good data security controls in placeacross the industry, continued effort was required to ensure controls did notbreak down and that they remained ‘valid and risk-based’.

The review emphasised the importance of appropriate vetting and trainingof all staff, particularly with regard to local staff who had financial crimeresponsibilities. An examination revealed that training in this area was oftenlacking and not reflective of the needs of, and work done by, members ofstaff. The report emphasised that senior management should ensure thatstaff operating in these roles were given proper financial crime training aswell as ensuring they possessed the appropriate technical know-how. Thereview also highlighted that, due to high staff turnover, firms neededappropriate and thorough vetting controls to supplement inadequate localelectronic intelligence and search systems.

The contents of this report are reflected in ■ FCG 2 (Financial crime systemsand controls) and ■ FCG 5 (Data security).



FCTR 7 : Review of financial Section 7.2 : The FSA’scrime controls in offshorecentres (2008)

7

7.2.1



You can read the findings of the FSA’s thematic review here: http://www.fsa.gov.uk/pages/About/What/financial_crime/library/reports/review_offshore.shtml

http://www.fsa.gov.uk/pages/About/What/financial_crime/library/reports/review_offshore.shtml



FCTR 7 : Review of financial Section 7.3 : Consolidated examples of goodcrime controls in offshore and poor practicecentres (2008)

7

7.3.1





Chapter 8

Financial services firms’approach to UK financial

sanctions (2009)


FCTR 8 : Financial services firms’ Section 8.1 : Introductionapproach to UK financialsanctions (2009)

8

8.1.1

8.1.2

8.1.3

8.1.4

8.1.5


8.1 Introduction

Who should read this chapter? This chapter is relevant, and its statements ofgood and poor practice apply, to all firms subject to the financial crime rulesin ■ SYSC 3.2.6R or ■ SYSC 6.1.1R and to e-money institutions and paymentinstitutions within our supervisory scope.

In April 2009 the FSA published the findings of our thematic review of firms’approach to UK financial sanctions. The FSA received 228 responses to aninitial survey from a broad range of firms across the financial servicesindustry, ranging from small firms to major financial groups, both retail andwholesale. Tailored surveys were sent to different types of firms to ensurethat the questions were relevant to the nature and scale of the business ofeach firm. The FSA then selected a sub-sample of 25 firms to visit tosubstantiate the findings from the surveys.

The review highlighted areas where there was significant scope across theindustry for improvement in firms’ systems and controls to comply with theUK financial sanctions regime. The FSA found that, while some firms hadrobust systems in place that were appropriate to their business need, others,including some major firms, lacked integral infrastructure and struggled withinappropriate systems for their business. In small firms in particular, the FSAfound a widespread lack of awareness of the UK financial sanctions regime.

The report examined a number of key areas of concern which included an in-depth look at whether senior management were aware of theirresponsibilities and, if so, were responding in an appropriate manner. TheFSA also identified issues over the implementation of policies andprocedures, particularly those put in place to ensure that staff wereadequately trained, were kept aware of changes in this area, and knew howto respond when sanctions were imposed. The FSA also had concerns aboutfirms’ screening of clients, both initially and as an ongoing process.

The contents of this report are reflected in ■ FCG 2 (Financial crime systemsand controls) and ■ FCG 7 (Sanctions and asset freezes).

FCTR 8 : Financial services firms’ Section 8.2 : The FSA’s findingsapproach to UK financialsanctions (2009)

8

8.2.1



You can read the findings of the FSA’s thematic review here: http://www.fsa.gov.uk/pubs/other/Sanctions_final_report.pdf

http://www.fsa.gov.uk/pubs/other/Sanctions_final_report.pdf

http://www.fsa.gov.uk/pubs/other/Sanctions_final_report.pdf

FCTR 8 : Financial services firms’ Section 8.3 : Consolidated examples of goodapproach to UK financial and poor practicesanctions (2009)

8

8.3.1

8.3.2



Senior management responsibility


• Senior management involve- • No senior management in-ment in approving and tak- volvement or understandinging responsibility for policies regarding the firm’s obliga-and procedures. tions under the UK financial

sanctions regime, or its sys-tems and controls to complywith it.

• A level of senior manage- • No, or insufficient, manage-ment awareness of the ment oversight of the day-firm’s obligations regarding to-day operation of systemsfinancial sanctions sufficient and controls.to enable them to dischargetheir functions effectively.

• Appropriate escalation in • Failure to included assess-cases where a potential tar- ments of the financial sanc-get match cannot easily be tions systems and controls asverified. a normal part of internal

audit programmes.

• Adequate and appropriate • No senior management in-resources allocated by senior volvement in any casesmanagement. where a potential target

match cannot easily beverified.

• Appropriate escalation of ac- • Senior management nevertual target matches and being made aware of a tar-breaches of UK financial get match or breach of sanc-sanctions. tions for an existing

customer.

• Failure to notify customersaffected by data loss in casethe details are picked up bythe media.

Risk assessment


• Conducting a comprehens- • Not assessing the risks thative risk assessment, based on the firm may face of


8

8.3.3


a good understanding of breaching financialthe financial sanctions re- sanctions.gime, covering the risks thatmay be posed by clients,transactions, services, prod-ucts and jurisdictions.

• Taking into account associ- • Risk assessments that areated parties, such as dir- based on misconceptions.ectors and beneficialowners.

• A formal documented risk as-sessment with a clearly docu-mented rationale for theapproach.

Policies and procedures


• Documented policies and • No policies or procedures inprocedures in place, which place for complying withclearly set out a firm’s ap- the legal and regulatory re-proach to complying with its quirements of the UK finan-legal and regulatory require- cial sanctions regime.ments in this area.

• Group-wide policies for UK • Internal audits of proced-financial sanctions screen- ures carried out by personsing, to ensure that business with responsibility for over-unit-specific policies and pro- sight of financial sanctionscedures reflect the standard procedures, rather than anset out in group policy. independent party.

• Effective procedures toscreen against the Consolid-ated List (See FCG Annex 1 fordescriptions of commonterms) that are appropriatefor the business, coveringcustomers, transactions andservices across all productsand business lines.

• Clear, simple and well under-stood escalation proceduresto enable staff to raise finan-cial sanctions concerns withmanagement.

• Regular review and updateof policies and procedures.

• Regular reviews of the ef-fectiveness of policies, pro-cedures, systems and con-trols by the firm’s internalaudit function or another in-dependent party.

• Procedures that include on-going monitoring/screeningof clients.


8

8.3.4

8.3.5


Staff training and awareness


• Regularly updated training • No training on financialand awareness programmes sanctions.that are relevant and appro-priate for employees’ par-ticular roles.

• Testing to ensure that em- • Relevant staff unaware ofployees have a good under- the firm’s policies and pro-standing of financial sanc- cedures to comply with thetions risks and procedures. UK financial sanctions

regime.

• Ongoing monitoring of em- • Changes to the financialployees’ work to ensure sanctions policies, proced-they understand the finan- ures, systems and controlscial sanctions procedures are not communicated toand are adhering to them. relevant staff.

• Training provided to eachbusiness unit covering boththe group-wide and busi-ness unit-specific policies onfinancial sanctions.

Screening during client take-on


• An effective screening sys- • Screening only on notifica-tem appropriate to the na- tion of a claim on an insur-ture, size and risk of the ance policy, rather than dur-firm’s business. ing client take-on.

• Screening against the Con- • Relying on other FSA-au-solidated List at the time of thorised firms and compli-client take-on before provid- ance consultants to screening any services or undertak- clients against the Consolid-ing any transactions for a ated List without takingcustomer. reasonable steps to ensure

that they are doing so ef-fectively.

• Screening directors and be- • Assuming that AML cus-neficial owners of corporate tomer due diligence checkscustomers. include screening against

the Consolidated List.

• Screening third party • Failing to screen UK-basedpayees where adequate in- clients on the assumptionformation is available. that there are no UK-based

persons or entities on theConsolidated List or failureto screen due to any othermisconception.

• Where the firm’s procedures • Large global institutionsrequire dual control (e.g. a with millions of clients us-‘four eyes’ check) to be ing manual screening, in-used, having in place an ef- creasing the likelihood offective process to ensure human error and leading tothis happens. matches being missed.


8

8.3.6


• The use of ‘fuzzy matching’ • IT systems that cannot flagwhere automated screening potential matches clearlysystems are used. and prominently.

• Where a commercially avail- • Firms calibrating theirable automated screening screening rules too nar-system is implemented, mak- rowly or too widely so thating sure that there is a full they, for example, matchunderstanding of the capab- only exact names with theilities and limits of the Consolidated List or gener-system. ate large numbers of re-

source intensive falsepositives.

• Regarding the implementa-tion of a commercially avail-able sanctions screening sys-tem as a panacea, with nofurther work required bythe firm.

• Failing to tailor a commer-cially available sanctionsscreening system to thefirm’s requirements.

Ongoing screening


• Screening of the entire cli- • No ongoing screening ofent base within a reason- customer databases orable time following up- transactions.dates to the ConsolidatedList.

• Ensuring that customer • Failure to screen directorsdata used for ongoing and beneficial owners ofscreening is up to date and corporate customers and/orcorrect. third party payees where ad-

equate information isavailable.

• Processes that include • Failure to review the calib-screening for indirect as ration and rules of auto-well as direct customers mated systems, or to set theand also third party payees, calibration in accordancewherever possible. with the firm’s risk appetite.

• Processes that include • Flags on systems that are de-screening changes to cor- pendent on staff lookingporate customers’ data for them.(e.g. when new directorsare appointed or if thereare changes to beneficialowners).

• Regular reviews of the calib- • Controls on systems thatration and rules of auto- can be overridden withoutmated systems to ensure referral to compliance.they are operating ef-fectively.

• Screening systems calib-rated in accordance withthe firm’s risk appetite, ra-ther than the settings sug-


8

8.3.7


gested by external softwareproviders.

• Systems calibrated to in-clude ‘fuzzy matching’, in-cluding name reversal, digitrotation and character ma-nipulation.

• Flags on systems promin-ently and clearly identified.

• Controls that require refer-ral to relevant compliancestaff prior to dealing withflagged individuals orentities.

Treatment of potential target matches


• Procedures for investiga- • No procedures in place forting whether a potential investigating potentialmatch is an actual target matches with the Consolid-match or a false positive. ated List.

• Procedures for freezing ac- • Discounting actual targetcounts where an actual tar- matches incorrectly as falseget match is identified. positives due to insufficient

investigation.

• Procedures for notifying • No audit trail of decisionsthe Treasury’s AFU where potential targetpromptly of any confirmed matches are judged to bematches. false positives.

• Procedures for notifyingsenior management of tar-get matches and caseswhere the firm cannot de-termine whether a poten-tial match is the actual tar-get on the ConsolidatedList.

• A clear audit trail of the in-vestigation of potential tar-get matches and the de-cisions and actions taken,such as the rationale for de-ciding that a potential tar-get match is a falsepositive.


Chapter 9

Anti-bribery and corruption incommercial insurance broking

(2010)


FCTR 9 : Anti-bribery and Section 9.1 : Introductioncorruption in commercialinsurance broking (2010)

9

9.1.1

9.1.2

9.1.3

9.1.4

9.1.5

9.1.6


9.1 Introduction

Who should read this chapter? This chapter is relevant, and its statements ofgood and poor practice apply, to:

•commercial insurance brokers and other firms who are subject tothe financial crime rules in ■ SYSC 3.2.6R or ■ SYSC 6.1.1R; and

•e-money institutions and payment institutions within oursupervisory scope.

Except that ■ FCTR 9.3.3G and ■ FCTR 9.3.4G only apply to those firms orinstitutions who use third parties to win business. It may also be of interestto other firms who are subject to ■ SYSC 3.2.6R and ■ SYSC 6.1.1R.

In May 2010 the FSA published the findings of our review into the waycommercial insurance broker firms in the UK addressed the risks of becominginvolved in corrupt practices such as bribery. The FSA visited 17 broker firms.Although this report focused on commercial insurance brokers, the findingsare relevant in other sectors.

The report examined standards in managing the risk of illicit payments orinducements to, or on behalf of, third parties in order to obtain or retainbusiness.

The report found that many firms’ approach towards high-risk business wasnot of an acceptable standard and that there was a risk that firms were notable to demonstrate that adequate procedures were in place to preventbribery from occurring.

The report identified a number of common concerns including weakgovernance and a poor understanding of bribery and corruption risks amongsenior managers as well as very little or no specific training and weak vettingof staff. The FSA found that there was a general failure to implement a risk-based approach to anti-bribery and corruption and very weak due diligenceand monitoring of third-party relationships and payments.

The contents of this report are reflected in ■ FCG 2 (Financial crime systemsand controls) and ■ FCG 6 (Bribery and corruption).

FCTR 9 : Anti-bribery and Section 9.2 : The FSA’s findingscorruption in commercialinsurance broking (2010)

9

9.2.1



You can read the findings of the FSA’s thematic review here: http://www.fsa.gov.uk/pubs/anti_bribery.pdf

http://www.fsa.gov.uk/pubs/anti_bribery.pdf

http://www.fsa.gov.uk/pubs/anti_bribery.pdf

FCTR 9 : Anti-bribery and Section 9.3 : Consolidated examples of goodcorruption in commercial and poor practiceinsurance broking (2010)

9

9.3.1



Governance and management information


• Clear, documented responsib- • Failing to allocate official re-ility for anti-bribery and cor- sponsibility for anti-briberyruption apportioned to and corruption to a singleeither a single senior man- senior manager or appropri-ager or a committee with ap- ately formed committee.propriate Terms of Referenceand senior managementmembership, reporting ulti-mately to the Board.

• Good Board-level and senior • A lack of awareness and/ormanagement understanding engagement in anti-briberyof the bribery and corrup- and corruption at seniortion risks faced by the firm, management or Boardthe materiality to their busi- level.ness and how to apply a risk-based approach to anti-bribery and corruption work.

• Swift and effective senior • Little or no MI sent to themanagement-led response to Board about higher risksignificant bribery and cor- third party relationships orruption events, which high- payments.light potential areas for im-provement in systems andcontrols.

• Regular MI to the Board and • Failing to include details ofother relevant senior man- wider issues, such as new le-agement forums. gislation or regulatory de-

velopments in MI.

• MI includes information • IT systems unable to pro-about third parties including duce the necessary MI.(but not limited to) newthird party accounts, theirrisk classification, higher riskthird party payments for thepreceding period, changes tothird-party bank account de-tails and unusually high com-mission paid to third parties.

• MI submitted to the Boardensures they are adequatelyinformed of any external de-


9

9.3.2

9.3.3


velopments relevant tobribery and corruption.

• Actions taken or proposed inresponse to issues high-lighted by MI are minutedand acted on appropriately.

Risk assessment and responses to significant bribery and corruption events


• Regular assessments of • Failing to consider thebribery and corruption risks bribery and corruption riskswith a specific senior person posed by third parties usedresponsible for ensuring this to win business.is done, taking into accountthe country and class ofbusiness involved as well asother relevant factors.

• More robust due diligence • Failing to allocate formal re-on and monitoring of sponsibility for anti-briberyhigher risk third-party rela- and corruption risk as-tionships. sessments.

• Thorough reviews and gap • Little or no MI sent to theanalyses of systems and con- Board about higher risktrols against relevant ex- third party relationships orternal events, with strong payments.senior management involve-ment or sponsorship.

• Ensuring review teams have • Failing to respond to ex-sufficient knowledge of rel- ternal events which mayevant issues and supple- draw attention to weak-menting this with external nesses in systems andexpertise where necessary. controls.

• Establishing clear plans to • Taking too long to imple-implement improvements ment changes to systemsarising from reviews, includ- and controls after analysinging updating policies, pro- external events.cedures and staff training.

• AdeFCG Annex 1quate and • Failure to bolster insuffi-prompt reporting to SOCA cient in-house knowledge(Serious Organised Crime or resource with externalAgency. See for common expertise.terms) and use of any inap-propriate payments identi-fied during business prac-tice review.

• Failure to report inappropri-ate payments to SOCA anda lack of openness indealing with us concerningany material issuesidentified.

Due diligence on third-party relationships



9


• Establishing and docu- • Failing to carry out or docu-menting policies with a ment due diligence onclear definition of a ‘third third-party relationships.party’ and the due diligencerequired when establishingand reviewing third-partyrelationships.

• More robust due diligence • Relying heavily on the in-on third parties which pose formal ‘market view’ of thethe greatest risk of bribery integrity of third parties asand corruption, including a due diligence.detailed understanding ofthe business case for usingthem.

• Having a clear understand- • Relying on the fact thating of the roles clients, rein- third-party relationshipssurers, solicitors and loss ad- are longstanding when nojusters play in transactions due diligence has everto ensure they are not carry- been carried out.ing out higher risk ac-tivities.

• Taking reasonable steps to • Failing to respond to ex-verify the information pro- ternal events which mayvided by third parties dur- draw attention to weak-ing the due diligence nesses in systems andprocess. controls.

• Using third party forms • Asking third parties to fillwhich ask relevant ques- in account opening formstions and clearly state which are not relevant towhich fields are mandatory. them (e.g. individuals fill-

ing in forms aimed at cor-porate entities).

• Having third party account • Accepting vague explana-opening forms reviewed tions of the business caseand approved by compli- for using third parties.ance, risk or committees in-volving these areas.

• Using commercially-avail- • Approvers of third-party re-able intelligence tools, data- lationships working withinbases and/or other research the broking department ortechniques such as internet being too close to it to pro-search engines to check vide adequate challenge.third-party declarationsabout connections to publicofficials, clients or theassured.

• Routinely informing all par- • Accepting instructions fromties involved in the insur- third parties to pay commis-ance transaction about the sion to other individuals orinvolvement of third parties entities which have notbeing paid commission. been subject to due

diligence.

• Ensuring current third-party • Assuming that third-partydue diligence standards are relationships acquired fromappropriate when business other firms have been sub-is acquired that is higher ject to adequate duerisk than existing business. diligence.

• Considering the level of • Paying high levels of com-bribery and corruption risk mission to third parties


9

9.3.4


posed by a third party used to obtain or retainwhen agreeing the level of higher risk business, espe-commission. cially if their only role is to

introduce the business.

• Setting commission limits or • Receiving bank details fromguidelines which take into third parties via informalaccount risk factors related channels such as email, par-to the role of the third ticularly if email addressesparty, the country involved are from webmail (e.g. Hot-and the class of business. mail) accounts or do not ap-

pear to be obviously con-nected to the third party.

• Paying commission to third • Leaving redundant third-parties on a one-off fee ba- party accounts ‘live’ on thesis where their role is pure accounting systems becauseintroduction. third-party relationships

have not been regularlyreviewed.

• Taking reasonable steps to • Being unable to produce aensure that bank accounts list of approved third par-used by third parties to re- ties, associated due dili-ceive payments are, in fact, gence and details of pay-controlled by the third ments made to them.party for which the pay-ment is meant. For ex-ample, broker firms mightwish to see the third party’sbank statement or have thethird party write them alow value cheque.

• Higher or extra levels of ap-proval for high risk third-party relationships.

• Regularly reviewing third-party relationships toidentify the nature and riskprofile of third-party rela-tionships.

• Maintaining accurate cent-ral records of approvedthird parties, the due dili-gence conducted on the re-lationship and evidence ofperiodic reviews.

Payment controls


• Ensuring adequate due dili- • Failing to check whethergence and approval of third parties to whom pay-third-party relationships be- ments are due have beenfore payments are made to subject to appropriate duethe third party. diligence and approval.

• Risk-based approval proced- • The inability to produceures for payments and a regular third-party pay-clear understanding of why ment schedules for review.payments are made.


9

9.3.5


• Checking third-party pay- • Failing to check thoroughlyments individually prior to the nature, reasonablenessapproval, to ensure consist- and appropriateness ofency with the business case gifts and hospitality.for that account.

• Regular and thorough mon- • No absolute limits on differ-itoring of third-party pay- ent types of expenditure,ments to check, for ex- combined with inadequateample, whether a payment scrutiny during the ap-is unusual in the context of provals process.previous similar payments.

• A healthily sceptical ap- • The giving or receipt ofproach to approving third- cash gifts.party payments.

• Adequate due diligence onnew suppliers being addedto the Accounts Payablesystem.

• Clear limits on staff expend-iture, which are fully docu-mented, communicated tostaff and enforced.

• Limiting third-party pay-ments from Accounts Pay-able to reimbursements ofgenuine business-relatedcosts or reasonable enter-tainment.

• Ensuring the reasons forthird-party payments via Ac-counts Payable are clearlydocumented and appropri-ately approved.

• The facility to produce ac-curate MI to facilitate ef-fective paymentmonitoring.



• Vetting staff on a risk- • Relying entirely on an indi-based approach, taking vidual’s market reputationinto account financial or market gossip as the ba-crime risk. sis for recruiting staff.

• Enhanced vetting – includ- • Failing to check thoroughlying checks of credit re- the nature, reasonablenesscords, criminal records, fin- and appropriateness ofancial sanctions lists, com- gifts and hospitality.mercially available intelli-gence databases and theCIFAS Staff Fraud Data-base – for staff in roleswith higher bribery andcorruption risk.

• A risk-based approach to • Failing to consider on adealing with adverse in- continuing basis whether


9

9.3.6


formation raised by vet- staff in higher risk posi-ting checks, taking into actions are becoming vulner-count its seriousness and able to committing fraudrelevance in the context of or being coerced bythe individual’s role or pro- criminals.posed role.

• Where employment agen- • Relying on contracts withcies are used to recruit employment agenciesstaff in higher risk posi- covering staff vettingtions, having a clear under- standards without checkingstanding of the checks periodically that thethey carry out on prospect- agency is adhering toive staff. them.

• Conducting periodic checks • Temporary or contract staffto ensure that agencies are receiving less rigorous vet-complying with agreed vetting than permanently em-ting standards. ployed colleagues carrying

out similar roles.

• A formal process for identi-fying changes in existingemployees’ financial sound-ness which might makethem more vulnerable tobecoming involved in, orcommitting, corruptpractices.



• Providing good quality, • Failing to provide trainingstandard training on anti- on anti-bribery and corrup-bribery and corruption for tion, especially to staff inall staff. higher risk positions.

• Additional anti-bribery and • Training staff on legislativecorruption training for and regulatory require-staff in higher risk ments but failing to pro-positions. vide practical examples of

how to comply with them.

• Ensuring staff responsible • Failing to ensure anti-for training others have ad- bribery and corruption pol-equate training icies and procedures arethemselves. easily accessible to staff.

• Ensuring training covers • Neglecting the need for ap-practical examples of risk propriate staff training inand how to comply with the belief that robust pay-policies. ment controls are sufficient

to combat anti-bribery andcorruption.

• Testing staff understand-ing and using the resultsto assess individual train-


9

9.3.7

9.3.8


ing needs and the overallquality of the training.

• Staff records setting outwhat training was com-pleted and when.

• Providing refresher train-ing and ensuring it is keptup to date.

Risk arising from remuneration structures


• Assessing whether remu- • Bonus structures for staffneration structures give in higher risk positionsrise to increased risk of which are directly linkedbribery and corruption. (e.g. by a formula) solely

to the amount of incomeor profit they produce, par-ticularly when bonusesform a major part, or themajority, of total remu-neration.

• Determining individual bo-nus awards on the basis ofseveral factors, including agood standard of compli-ance, not just the amountof income generated.

• Deferral and clawback pro-visions for bonuses paid tostaff in higher riskpositions.

Incident reporting


• Clear procedures for • Failing to report suspiciouswhistleblowing and re- activity relating to briberyporting suspicions, and and corruption.communicating these tostaff.

• Appointing a senior man- • No clear internal proced-ager to oversee the ure for whistleblowing orwhistleblowing process reporting suspicions.and act as a point of con-tact if an individual hasconcerns about their linemanagement.

• Respect for the confidenti- • No alternative reportingality of workers who raise routes for staff wishing toconcerns. make a whistleblowing dis-

closure about their linemanagement or seniormanagers.

• Internal and external suspi- • A lack of training andcious activity reporting awareness in relation to


9

9.3.9


procedures in line with whistleblowing the re-the Joint Money Laun- porting of suspiciousdering Steering Group activity.guidance.

• Keeping records or copiesof internal suspicion re-ports which are not for-warded as SARs for futurereference and possibletrend analysis.

• Financial crime trainingcovers whistleblowing pro-cedures and how to reportsuspicious activity.

The role of compliance and internal audit


• Compliance and internal • Failing to carry out compli-audit staff receiving spe- ance or internal auditcialist training to achieve work on anti-bribery anda very good knowledge corruption.of bribery and corruptionrisks.

• Effective compliance mon- • Compliance, in effect, sign-itoring and internal audit ing off their own work, byreviews which challenge approving new third partynot only whether pro- accounts and carrying outcesses to mitigate bribery compliance monitoring onand corruption have been the same accounts.followed but also the ef-fectiveness of the pro-cesses themselves.

• Independent checking of • Compliance and internalcompliance’s operational audit not recognising orrole in approving third acting on the need for aparty relationships and ac- risk-based approach.counts, where relevant.

• Routine compliance and/or internal audit checksof higher risk third partypayments to ensure thereis appropriate supportingdocumentation and ad-equate justification topay.


9



Chapter 10

The Small Firms FinancialCrime Review (2010)


FCTR 10 : The Small Firms Section 10.1 : IntroductionFinancial Crime Review (2010)

10

10.1.1

10.1.2

10.1.3

10.1.4

10.1.5

10.1.6

10.1.7


10.1 Introduction

Who should read this chapter? This chapter is relevant, and its statements ofgood and poor practice apply, to small firms in all sectors who are subject tothe financial crime rules in ■ SYSC 3.2.6R or ■ SYSC 6.1.1R and small e-moneyinstitutions and payment institutions within our supervisory scope.

In May 2010 the FSA published the findings of its thematic review into theextent to which small firms across the financial services industry addressedfinancial crime risks in their business. The review conducted visits to 159small retail and wholesale firms in a variety of financial sectors. It was thefirst systematic review of financial crime systems and controls in small firmsconducted by the FSA.

The review covered three main areas: anti-money laundering and financialsanctions; data security; and fraud controls. The review sought to determinewhether firms understood clearly the requirements placed on them by thewide range of legislation and regulations to which they were subject.

The FSA found that firms generally demonstrated a reasonable awareness oftheir obligations, particularly regarding AML systems and controls. But itfound weaknesses across the sector regarding the implementation of systemsand controls put in place to reduce firms’ broader financial crime risk.

The review emphasised the key role that the small firms sector often plays inacting as the first point of entry for customers to the wider UK financialservices industry; and the importance, therefore, of firms having adequatecustomer due diligence measures in place. The report flagged up concernsrelating to weaknesses in firms’ enhanced due diligence procedures whendealing with high-risk customers.

The FSA concluded that, despite an increased awareness of the risks posed byfinancial crime and information supplied by the FSA, small firms weregenerally weak in their assessment and mitigation of financial crime risks.

The contents of this report are reflected in ■ FCG 2 (Financial crime systemsand controls), ■ FCG 3 (Money laundering and terrorist financing), ■ FCG 4(Fraud), ■ FCG 5 (Data security) and ■ FCG 7 (sanctions and asset freezes).

FCTR 10 : The Small Firms Section 10.2 : The FSA’sFinancial Crime Review (2010)

10

10.2.1



You can read the findings of the FSA’s thematic review here: http://www.fsa.gov.uk/smallfirms/pdf/financial_crime_report.pdf

http://www.fsa.gov.uk/smallfirms/pdf/financial_crime_report.pdf

http://www.fsa.gov.uk/smallfirms/pdf/financial_crime_report.pdf

FCTR 10 : The Small Firms Section 10.3 : Consolidated examples ofFinancial Crime Review (2010) good and poor practice

10

10.3.1

10.3.2


10.3 Consolidated examples of goodand poor practice

Regulatory/Legal obligations


• A small IFA used policies • An MLRO at an IFA wasand procedures which had not familiar with thebeen prepared by consult- JMLSG guidance and hadants but the MLRO had an inadequate knowledgetailored these to the firm’s of the firm’s financialbusiness. There was also a crime policies andrisk assessment of cus- procedures.tomers and products in-cluded in an MLRO reportwhich was updatedregularly.

• One general insurance (GI) •intermediary had an AMLpolicy in place which was ofa very good standard andincluded many good ex-amples of AML typologiesrelevant to GI business. Des-pite the fact that there isno requirement for anMLRO for a business of thistype the firm had ap-pointed an individual tocarry out an MLRO functionas a point of good practice.

Account opening procedures


• A discretionary portfolio • An IFA commented thatmanager had procedures they only dealt with invest-that required the verifica- ment customers that weretion of the identity of all well known to the firm orbeneficial owners. The firm regulated entities. How-checked its customer base ever, the firm had someagainst sanctions lists and high risk customers whohad considered the risks as- were subject to very basicsociated with PEPs. Most due diligence (e.g.: copy ofnew customers were visited passport). The firm saidby the adviser at home and that they were concernedin these cases the advisers about the high reputa-would usually ask for iden- tional impact an AML incid-


10

10.3.3

10.3.4


tity verification documents ent could have on theiron the second meeting small, young business. Thewith the customer. Where firm stated that theybusiness was conducted re- would deal with PEPs butmotely, more (three or with appropriate care.four) identity verification However, the firm did notdocuments were required have a rigorous system inand the source of funds ex- place to be able to identifyemption was not used. PEPs – this was a concern

given the nationality andresidence of some underly-ing customers. The firm ap-peared to have reasonableawareness of the sanctionsrequirements of both theTreasury and the UnitedStates Office of Foreign As-sets Control (OFAC), butthere was no evidence inthe customer files of anysanctions checking.

• A venture capital firm hadpolicies in place which re-quired a higher level ofdue diligence and approvalfor high-risk customers.However, they had no sys-tem in place by which theycould identify this type ofcustomer.

Monitoring activity

Examples of good practice

• A credit union used a computer-based monitoring system whichhad been specially designed for business of this type. The systemwas able to produce a number of exception reports relating tothe union’s members, including frequency of transactions and de-faulted payments. The exceptions reports were reviewed daily. Ifthere had been no activity on an account for 12 months it wassuspended. If the customer was to return and request a with-drawal they would be required to prove their identity again.

• A Personal Pension Operator’s procedure for higher risk cus-tomers included gathering extra source of funds proof at cus-tomer take-on. The firm also conducted manual monitoring andproduced valuation statements twice a year.

• Within a GI intermediary firm, there was a process where, if a cus-tomer made a quick claim after the policy has been taken out,their records were flagged on the firm’s monitoring system. Thisacted as an alert for any possible suspicious claims in the future.

Suspicious activity reporting

Examples of poor practice

• One MLRO working at an IFA firm commented that he would for-ward all internal SARs he received to SOCA and would not exer-cise any judgement himself as to the seriousness of these SARs.


10

10.3.5

10.3.6


• At an IFA the MLRO did not demonstrate any knowledge of howto report a SAR to SOCA, what to report to SOCA, or how todraft a SAR. The firm’s policies and procedures contained a proforma SAR but this was not a document the MLRO was familiarwith.

• An IFA was unaware of the difference between reporting suspi-cions to SOCA and sanctions requirements, believing that if heidentified a person on the Consolidated List he should carry on asnormal and just report it as a SAR to SOCA.

Records


• An advising-only intermedi- • A file review at an IFA re-ary firm used a web- based vealed disorganised filessystem as its database of and missing KYC docu-leads, contact names and mentation in three of fiveaddresses. It also stored files reviewed. Files did nottelephone and meeting always include a checklistnotes there which were ac- (We expect that KYC in-cessed by staff using indi- formation should be keptvidual passwords. together in the file so that

it is easily identifiable andauditable.)

• A home finance broker clas-sified customers as A, B orC for record keeping pur-poses. A’s being Active, B’sbeing ‘one-off or infre-quent business’ who hemaintained contact withvia a regular newsletterand C’s being archivedcustomers.

Training


• A GI Intermediary used an • A GI Intermediary ex-on-line training website plained that the compli-(costing around £100 per ance manager carried outemployee per year). The regular audits to confirmfirm believed that the staff knowledge was suffi-training was good quality cient. However, on inspec-and included separate tion of the training files itmodules on financial crime appeared that training waswhich were compulsory for largely limited to productstaff to complete. Staff information and customerwere also required to com- service and did not suffi-plete refresher training. ciently cover financialAn audit of all training crime.completed was stored on-line.

• An IFA (sole trader) carried • One credit union, apartout on-line training on vari- from on-the-job trainingous financial crime topics. for new staff members,He also participated in con- had no regular training inference call training where place and no method to


10

10.3.7

10.3.8


a trainer talked trainees test staff knowledge of fin-through various topics ancial crime issues.while on-line; this wasboth time and travelefficient.

Responsibilities and risk assessments


• At an IFA there was a cle- • At an IFA, a risk assessmentarly documented policy on had been undertaken bydata security which staff the firm’s compliance con-were tested on annually. sultant but the firm demon-The policy contained, but strated no real appreci-was not limited to, details ation of the financial crimearound clear desks, non- risks in its business. Thesharing of passwords, the risk assessment was notdiscouraging of the over- tailored to the risks inher-use of portable media de- ent in that business.vices, the secure disposalof data, and the loggingof customer files removedand returned to the office.

• An IFA had produced a • An advising-only intermedi-written data security re- ary had its policies and pro-view of its business which cedures drawn up by an ex-had been prompted by ternal consultant but thesetheir external consultants had not been tailored toand largely followed the the firm’s business. Thesmall firms’ factsheet mat- MLRO was unclear abouterial on data security, pro- investigating and reportingvided by the FSA in April suspicious activity to SOCA.2008. The firm’s staff had not re-

ceived formal training inAML or reporting suspi-cious activity to SOCA.

• In a personal pension oper-ator, there was a full andcomprehensive anti-fraudstrategy in place and a fullrisk assessment had beencarried out which wasregularly reviewed. Thefirm’s financial transac-tions were normally ‘foureyed’ as a minimum andthere were strict mandateson cheque signatures forFinance Director and Fin-ance Manager.

Access to systems


• In a Discretionary Invest- • In a financial advisory firmment Management firm, there was no minimumthe Chief Executive en- length for passwords, (al-sured that he signed off though these had to be al-on all data user profiles pha/numeric) and the prin-


1010.3.9


ensuring that systems ac- cipal of the firm plus onecesses were authorised by other colleague knew allhim. staff members’ passwords.

• A discretionary investment • In an advising-only interme-manager conducted five diary, staff set their ownyear referencing on new systems passwords whichstaff, verified personal ad- had no defined length ordresses and obtained char- complexity and were onlyacter references from ac- changed every six months.quaintances not selectedby the candidate. Theyalso carried out annualcredit checks, CRB checksand open source Internetsearches on staff. Therewere role profiles for eachjob within the firm andthese were reviewedmonthly for accuracy.

• In a venture capital firmthey imposed a minimumten character (alpha/num-eric, upper/lower case)password for systems ac-cess which had a 45-dayenforced change period.

Outsourcing


• A discretionary investment • An authorised professionalmanager used an external firm employed the servicesfirm for IT support and of third-party cleaners, se-had conducted its own on- curity staff, and an offsitesite review of the IT firm’s confidential waste com-security arrangements. pany, but had carried outThe same firm also insisted no due diligence on any ofon CRB checks for these parties.cleaners.

• An IFA had received a re- • An IFA allowed a third-quest from an introducer party IT consultant full ac-to provide names of cus- cess rights to its customertomers who had bought a databank. Although thecertain financial product. firm had a service agree-The firm refused to pro- ment in place that allowedvide the data as it consid- full audit rights betweenered the request unneces- the advisor and the IT com-sary and wanted to pro- pany to monitor the secur-tect its customer data. It ity arrangements put inalso referred the matter to place by the IT company,the Information Commis- this had not been invokedsioner who supported the by the IFA, in contrast tofirm’s actions. other firms visited where

such audits had been un-dertaken.

• A general insurance inter- • In an authorised profes-mediary employed office sional firm, Internet andcleaners supplied by an Hotmail usage was onlyagency that conducts due monitored if it was for


10

10.3.10

10.3.11


diligence including CRB longer than 20 minutes atchecks. Office door codes any one time. There waswere regularly changed also no clear-desk policyand always if there was a within the firm.change in staff.

• In an authorised profes- • In an authorised profes-sional firm, unauthorised sional firm there had beendata access attempts by two incidents wherestaff were monitored by people had walked intothe IT manager and email the office and stolen staffalerts sent to staff and wallets and laptops.management whenidentified.

• In a general insurance in-termediary the two dir-ectors had recently visitedthe offsite data storage fa-cility to satisfy themselvesabout the security arrange-ments at the premises.

Physical controls


• At an IFA, staff email was • In a general insurance in-monitored and monthly termediary which had poorMI was produced, which physical security in termsincluded a monitoring of of shop front access, therewhere emails had been were many insecure boxesdirected to staff home of historical customer re-addresses. cords dotted around the of-

fice in no apparent order.The firm had no control re-cord of what was stored inthe boxes, saying only thatthey were no longerneeded for the business.

• At an investment advisoryfirm, staff were prohibitedfrom using the Internetand Hotmail accounts.USB ports had been dis-abled on hardware andlaptops were encrypted.

Data disposal


• An advising and arran- • In an IFA there was a clear-ging intermediary used a desk policy that was notthird party company for enforced and customerall paper disposals, using data was stored in un-secure locked bins pro- locked cabinets whichvided by the third party. were situated in a part ofAll paper in the firm was the office accessible to alltreated as confidential visitors to the firm.and ‘secure paper man-agement’ was encour-


10

10.3.12

10.3.13


aged throughout thefirm, enhanced by a mon-itored clear-desk policy.The firm was also awarethat it needed to considera process for secure dis-posal of electronic mediaas it was due to undergoa systems refit in the nearfuture.

• An IFA treated all cus-tomer paperwork as con-fidential and had onsiteshredding facilities. Forbulk shredding the firmused a third party whoprovided bags and tagsfor labelling sensitivewaste for removal, andthis was collected andsigned for by the thirdparty. The firm’s directorshad visited the thirdparty’s premises and satis-fied themselves of theirprocesses. The directorsperiodically checked of-fice bins for confidentialwaste being mishandled.PCs which had come to‘end of life’ were wipedusing reputable softwareand physically destroyed.

Data compromise incidents


• A general insurance • In a general insurance in-broker had suffered a suc- termediary, the IT man-cession of break-ins to ager said he would take re-their offices. No data had sponsibility for any data se-been lost or stolen but curity incidents althoughthe firm sought the ad- there was no proceduresvice of local police over in place for how to handlethe incidents and em- such occurrences. Whenployed additional physical asked about data security,security as a result. the compliance officer was

unable to articulate thefinancial crime risks thatlax data security processesposed to the firm and saidit would be something hewould discuss with his ITmanager.

General fraud



10


• A small product provider • One GI broker permittedhad assessed the fraud customers to contact therisk presented by each firm by telephone to in-product and developed form the firm of anyappropriate controls to amendments to their per-mitigate this risk based sonal details (includingon the assessment. This change of address). Toassessment was then set verify the identity of theout in the firm’s Compli- person they were speakingance Manual and was up- to, the firm asked securitydated when new informa- questions. However, all thetion became available. information that the firm

used to verify the cus-tomer’s identity was avail-able in the public domain.

• A credit union did notpermit its members tochange address detailsover the telephone.These needed to be sub-mitted in writing/email.The firm also consideredthe feasibility of allocat-ing passwords to theirmembers for accessingtheir accounts. The unionhad photographs of allits members which weretaken when the accountwas opened. These werethen used to verify theidentity of the customershould they wish to with-draw money or apply fora loan from the union.

• One discretionary invest-ment manager kept fullrecords of all customercontact including detailsof any phone calls. Whenreceiving incoming callsfrom product providers,the firm required thecaller to verify wherethey were calling fromand provide a contacttelephone number whichthey were then calledback on before any cus-tomer details were discus-sed or instructions taken.

• One general insurance in-termediary was a mem-ber of a local associationwhose membership in-cluded law enforcementand Law Society repres-entatives. This group metin order to share local in-telligence to help im-prove their firms’ de-


10

10.3.14

10.3.15

10.3.16


fences against financialcrime.

Insurance fraud


• A small general insurer • An IFA had a procedure inhad compiled a hand- place to aid in the identi-book which detailed indic- fication of high risk cus-ators of potential insur- tomers. However, onceance fraud. identified, this firm had no

enhanced due diligenceprocedures in place to dealwith such customers.

• An IFA had undertaken arisk assessment to under-stand where his businesswas vulnerable to insur-ance fraud.

• An IFA had identifiedwhere their business maybe used to facilitate insur-ance fraud and imple-mented more controls inthese areas.

Investment fraud


• An IFA had undertaken a • An IFA had a ‘one size fitsrisk assessment for all all’ approach to identifyinghigh net worth the risks associated withcustomers. customers and investments.

• A discretionary invest-ment manager referredhigher risk decisions (in re-spect of a high risk cus-tomer/value of funds in-volved) to a specificsenior manager.

• A personal pension oper-ator carried out a finan-cial crime risk assessmentfor newly introduced in-vestment products.

Mortgage fraud


• The majority of firms con- • An IFA did not undertakeducted customer fact any KYC checks, con-finds. This allowed them sidering this to be the re-to know their customers sponsibility of the lender.sufficiently to identifyany suspicious behaviour.CDD (Customer Due Dili-


10

10.3.17


gence. See FCG Annex 1for common terms), in-cluding source of fundsinformation, was also ob-tained early in the ap-plication process beforethe application was com-pleted and submitted tothe lender.

• A home finance broker • An IFA did not investigatewould not conduct any source of funds. The firmremote business – meet- stated this was because ‘aing all customers face-to- bank would pick it up andface. report it.’

• An IFA had informally as- • An IFA did not undertakesessed the mortgage extra verification of its nonfraud risks the business face-to-face customers.faced and was aware ofpotentially suspicious in-dicators. The IFA alsolooked at the fraud risksassociated with how thecompany approached thefirm – e.g. the firm feltthat a cold call from acustomer may pose agreater risk than thosewhich had been referredby longstandingcustomers.

Staff/Internal fraud


• An IFA obtained full refer- • One general insurance in-ence checks (proof of termediary did not under-identity, eligibility to take any backgroundwork and credit checks) checks before appointing aprior to appointment. Ori- member of staff or authen-ginal certificates or other ticate qualifications ororiginal documentation references.was also requested.

• An IFA ensured that staff • Company credit card usagevetting is repeated by was not monitored or re-completing a credit refer- conciled at an IFA. An IFAence check on each mem- had the same computerber of staff. log-on used by all staff in

the office no matter whattheir role.

• An IFA set a low creditlimit for each of its com-pany credit cards. Bills aresent to the firm and eachmonth the holder has toproduce receipts to recon-cile their claim.

• At one authorised profes-sional firm dual signatoryrequirements had to be


10


met for all paymentsmade over £5,000.


Chapter 11

Mortgage fraud againstlenders (2011)


FCTR 11 : Mortgage fraud Section 11.1 : Introductionagainst lenders (2011)

11

11.1.1

11.1.2

11.1.3

11.1.4


11.1 Introduction

Who should read this chapter? This chapter is relevant, and its statements ofgood and poor practice apply, to mortgage lenders within our supervisoryscope. It may also be of interest to other firms who are subject to thefinancial crime rules in ■ SYSC 3.2.6R or ■ SYSC 6.1.1R.

In June 2011 the FSA published the findings of its thematic review into howmortgage lenders in the UK were managing the risks mortgage fraud posedto their businesses. The project population of 20 banks and building societieswas selected to be a representative sample of the mortgage lending market.The firms the FSA visited accounted for 56% of the mortgage market in2010.

The FSA’s review found the industry had made progress coming to termswith the problem of containing mortgage fraud over recent years. Defenceswere stronger, and the value of cross-industry cooperation was betterrecognised. However, the FSA found that many in the industry could dobetter; the FSA were disappointed, for example, that more firms were notactively participating in the FSA’s Information From Lenders scheme andother industry-wide initiatives to tackle mortgage fraud. Other areas ofconcern the FSA identified were to do with the adequacy of firms’ resourcesfor dealing with mortgage fraud, both in terms of the number andexperience of staff; and the FSA identified scope for significant improvementin the way lenders dealt with third parties such as brokers, valuers andconveyancers.

The contents of this report are reflected in ■ FCG 2 (Financial crime systemsand controls) and ■ FCG 4 (Fraud) of Part 1 of this Guide.

FCTR 11 : Mortgage fraud Section 11.2 : The FSA’sagainst lenders (2011)

11

11.2.1



You can read the findings of the FSA’s thematic review here: http://www.fsa.gov.uk/pubs/other/mortgage_fraud.pdf

http://www.fsa.gov.uk/pubs/other/mortgage_fraud.pdf

http://www.fsa.gov.uk/pubs/other/mortgage_fraud.pdf

FCTR 11 : Mortgage fraud Section 11.3 : Consolidated examples ofagainst lenders (2011) good and poor practice

11

11.3.1

11.3.2



Governance, culture and information sharing


• A firm’s efforts to counter • A firm fails to report relev-mortgage fraud are coordin- ant information to the In-ated, and based on consid- formation From Lenderseration of where anti-fraud scheme as per the guid-resources can be allocated ance on IFL referrals.to best effect.

• Senior management engage • A firm fails to define mort-with mortgage fraud risks gage fraud clearly, under-and receive sufficient man- mining efforts to compileagement information about statistics related to mort-incidents and trends. gage fraud trends.

• A firm engages in cross-in- • A firm does not allocatedustry efforts to exchange responsibility for coun-information about fraud tering mortgage fraud cle-risks. arly within the manage-

ment hierarchy.

• A firm engages front-linebusiness areas in anti-mort-gage fraud initiatives.

Applications processing and underwriting


• A firm’s underwriting pro- • A firm’s underwriters havecess can identify applica- a poor understanding oftions that may, based on a potential fraud indicators,thorough assessment of risk whether through inexperi-flags relevant to the firm, ence or poor training.present a higher risk ofmortgage fraud.

• Underwriters can contact • Underwriters’ demandingall parties to the applica- work targets undermine ef-tion process (customers, forts to contain mortgagebrokers, valuers etc.) to cla- fraud.rify aspects of the ap-plication.

• The firm verifies that de- • A firm does not allocate re-posit monies for a mort- sponsibility for countering


11

11.3.3


gage transaction are from mortgage fraud clearlya legitimate source. within the management

hierarchy.

• New or inexperienced un- • A firm relying on manualderwriters receive training underwriting has no check-about mortgage fraud lists to ensure the applica-risks, potential risk indic- tion process is complete.ators, and the firm’s ap-proach to tackling theissue.

• A firm requires under-writers to justify all de-clined applications tobrokers.

Mortgage fraud prevention, investigations, and recoveries


• A firm routinely assesses • A firm’s anti-fraud effortsfraud risks during the devel- are uncoordinated and un-opment of new mortgage der-resourced.products, with particular fo-cus on fraud when it entersnew areas of the mortgagemarket (such as sub-primeor buy-to-let).

• A firm reviews existing • Fraud investigators lack rel-mortgage books to identify evant experience or know-fraud indicators. ledge of mortgage fraud

issues, and have receivedinsufficient training.

• Applications that are de- • A firm’s internal escalationclined for fraudulent procedures are unclearreasons result in a review and leave staff confusedof pipeline and back book about when and how to re-cases where associated port their concerns aboutfraudulent parties are mortgage fraud.identified.

• A firm has planned howcounter-fraud resourcescould be increased in re-sponse to future growth inlending volumes, includingconsideration of the im-plications for training, re-cruitment and informationtechnology.

• A firm documents the cri-teria for initiating a fraudinvestigation.

• Seeking consent from theSerious Organised CrimeAgency (SOCA) to acceptmortgage payments wher-ever fraud is identified.


11

11.3.4

11.3.5


Managing relationships with conveyancers, brokers and valuers


• A firm has identified third • A firm’s scrutiny of thirdparties they will not deal parties is a one-off exer-with, drawing on a range cise; membership of aof internal and external in- panel is not subject to on-formation. going review.

• A third party reinstated to • A firm’s panels are tooa panel after termination large to be manageable.is subject to fresh due dili- No work is undertaken togence checks. identify dormant third

parties.

• A firm has planned how • A firm solely relies on thecounter-fraud resources Financial Services Registercould be increased in re- to check mortgage brokers,sponse to future growth in while scrutiny of conveyan-lending volumes, including cers only involves a checkconsideration of the im- of public material from theplications for training, re- Law Society or Solicitors Re-cruitment and information gulation Authority.technology.

• Where a conveyancer is • A firm’s internal escalationchanged during the pro- procedures are unclear andcessing of an application, leave staff confused aboutlenders contact both the when and how to reportoriginal and new conveyan- their concerns about mort-cer to ensure the change is gage fraud.for a legitimate reason.

• A firm checks whetherthird parties maintain pro-fessional indemnity cover.

• A firm has a risk-sensitiveprocess for subjecting prop-erty valuations to inde-pendent checks.

• A firm can detect brokers‘gaming’ their systems, forexample by submitting ap-plications designed to dis-cover the firm’s lendingthresholds, or submittingmultiple similar applica-tions known to be withinthe firm’s lending policy.

• A firm verifies that fundsare dispersed in line withinstructions held, particu-larly where changes to theCertificate of Title occurjust before completion.

Compliance and internal audit


• A firm has subjected anti- • A firm’s management offraud measures to ‘end-tothird party relationships isend’ scrutiny, to assess subject to only cursory


11

11.3.6

11.3.7


whether defences are co- oversight by complianceordinated, rather than and internal audit.solely reviewing adherenceto specific procedures inisolation.

• There is a degree of spe- • Compliance and internalcialist anti-fraud expertise audit staff demonstrate awithin the compliance and weak understanding ofinternal audit functions. mortgage fraud risks, be-

cause of inexperience ordeficient training.



• A firm requires staff to dis- • A firm uses recruitmentclose conflicts of interest agencies without under-stemming from their rela- standing the checks theytionships with third par- perform on candidates,ties such as brokers or con- and without checkingveyancers. whether they continue to

meet agreed recruitmentstandards.

• A firm has considered • Staff vetting is a one-offwhat enhanced vetting exercise.methods should be ap-plied to different roles(e.g. credit checks, crim-inal record checks, CIFASstaff fraud database, etc).

• A firm adopts a risk-sensit- • Enhanced vetting tech-ive approach to managing niques are applied only toadverse information about staff in Approved Personsan employee or new positions.candidate.

• A firm seeks to identify • A firm’s vetting of tempor-when a deterioration in ary or contract staff is lessemployees’ financial cir- thorough than checks oncumstances may indicate permanent staff in similarincreased vulnerability to roles.becoming involved infraud.

Remuneration structures


• A firm has considered • The variable element of awhether remuneration firm’s remuneration ofstructures could incentivise mortgage salespeople isbehaviour that may in- solely driven by the vol-crease the risk of mort- ume of sales they achieve,gage fraud. with no adjustment for

sales quality or other qual-itative factors related tocompliance.


11

11.3.8


• A firm’s bonuses related to • The variable element of sa-mortgage sales will take lespeople’s remunerationaccount of subsequent is excessive.fraud losses, whetherthrough an element of de-ferral or by ‘clawback’ ar-rangements.

• Staff members’ objectivesfail to reflect any consid-eration of mortgage fraudprevention.

Staff training and awareness


• A firm’s financial crime • A firm fails to provide ad-training delivers clear equate training on mort-messages about mortgage gage fraud, particularly tofraud across the organis- staff in higher-risk businessation, with tailored train- areas.ing for staff closest to theissues.

• A firm verifies that staff • A firm relies on staff read-understand training mat- ing up on the topic oferials, perhaps with a test. mortgage fraud on their

own initiative, withoutproviding formal trainingsupport.

• Training is updated to re- • A firm fails to ensure mort-flect new mortgage fraud gage lending policies andtrends and types. procedures are readily ac-

cessible to staff.

• Mortgage fraud ‘cham- • A firm fails to define mort-pions’ offer guidance or gage fraud in trainingmentoring to staff. documents or policies and

procedures.

• Training fails to ensure allstaff are aware of their re-sponsibilities to report sus-picions, and the channelsthey should use.


Chapter 12

Banks’ management of highmoney-laundering risk

situations (2011)


FCTR 12 : Banks’ management Section 12.1 : Introductionof high money-laundering risksituations (2011)

12

12.1.1

12.1.2

12.1.3

12.1.4

12.1.5


12.1 Introduction

Who should read this chapter? This chapter is relevant, and its statements ofgood and poor practice apply, to banks we supervise under the MoneyLaundering Regulations. ■ FCTR 12.3.2G – ■ FCTR 12.3.5G also apply to otherfirms we supervise under the Money Laundering Regulations that havecustomers who present a high money-laundering risk. It may be of interestto other firms we supervise under the Money Laundering Regulations.

In June 2011 the FSA published the findings of its thematic review of howbanks operating in the UK were managing money-laundering risk in higher-risk situations. The FSA focused in particular on correspondent bankingrelationships, wire transfer payments and high-risk customers includingpolitically exposed persons (PEPs). The FSA conducted 35 visits to 27 bankinggroups in the UK that had significant international activity exposing them tothe AML risks on which the FSA were focusing.

The FSA’s review found no major weaknesses in banks’ compliance with thelegislation relating to wire transfers. On correspondent banking, there was awide variance in standards with some banks carrying out good quality AMLwork, while others, particularly among the smaller banks in the FSA’s sample,carried out either inadequate due diligence or none at all.

However, the FSA’s main conclusion was that around three-quarters of banksin its sample, including the majority of major banks, were not alwaysmanaging high-risk customers and PEP relationships effectively and had todo more to ensure they were not used for money laundering purposes. TheFSA identified serious weaknesses in banks’ systems and controls, as well asindications that some banks were willing to enter into very high-risk businessrelationships without adequate controls when there were potentially largeprofits to be made. This meant that the FSA found it likely that some bankswere handling the proceeds of corruption or other financial crime.


FCTR 12 : Banks’ management Section 12.2 : The FSA’s findingsof high money-laundering risksituations (2011)

12

12.2.1



You can read the findings of the FSA’s thematic review here: http://www.fsa.gov.uk/pubs/other/aml_final_report.pdf

http://www.fsa.gov.uk/pubs/other/aml_final_report.pdf

http://www.fsa.gov.uk/pubs/other/aml_final_report.pdf

FCTR 12 : Banks’ management Section 12.3 : Consolidated examples ofof high money-laundering risk good and poor practicesituations (2011)

12

12.3.1

12.3.2



In addition to the examples of good and poor practice below, Section 6 ofthe report also included case studies illustrating relationships into whichbanks had entered which caused the FSA particular concern. The case studiescan be accessed via the link in the paragraph above.

High risk customers and PEPs – AML policies and procedures


• Senior management take • A lack of commitment tomoney laundering risk ser- AML risk managementiously and understand what among senior managementthe Money Laundering Re- and key AML staff.gulations 2007 are trying toachieve.

• Keeping AML policies and • Failing to conduct quality as-procedures up to date to en- surance work to ensuresure compliance with evol- AML policies and proced-ving legal and regulatory ures are fit for purpose andobligations. working in practice.

• A clearly articulated defini- • Informal, undocumentedtion of a PEP (and any relev- processes for identifying,ant sub-categories) which is classifying and declassifyingwell understood by relevant customers as PEPs.staff.

• Considering the risk posed • Failing to carry out en-by former PEPs and ‘do- hanced due diligence on cus-mestic PEPs’ on a case-by- tomers with political connec-case basis. tions who, although they

do not meet the legal defini-tion of a PEP, still representa high risk of moneylaundering.

• Ensuring adequate due dili- • Giving waivers from AMLgence has been carried out policies without goodon all customers, even if reason.they have been referred bysomebody who is powerfulor influential or a seniormanager.

• Providing good quality • Considering the reputa-training to relevant staff on tional risk rather than the


1212.3.3


the risks posed by higher AML risk presented byrisk customers including customers.PEPs and correspondentbanks.

• A clearly articulated defini- • Using group policies whichtion of a PEP (and any relev- do not comply fully with UKant sub-categories) which is AML legislation and regu-well understood by relevant latory requirements.staff.

• Ensuring RMs (Relationship • Using consultants to drawManagers) and other relev- up policies which are thenant staff understand how to not implemented.manage high money laun-dering risk customers bytraining them on practicalexamples of risk and howto mitigate it.

• Keeping training material • Failing to allocate adequatecomprehensive and up-to- resources to AML.date, and repeating train-ing where necessary to en-sure relevant staff areaware of changes to policyand emerging risks.

• Failing to provide trainingto relevant staff on how tocomply with AML policiesand procedures for man-aging high-risk customers.

• Failing to ensure policiesand procedures are easily ac-cessible to staff.

High risk customers and PEPs – Risk assessment


• Using robust risk assess- • Allocating higher risk coun-ment systems and controls tries with low risk scores toappropriate to the nature, avoid having to conductscale and complexities of EDD.the bank’s business.

• Considering the money- • MLROs who are toolaundering risk presented stretched or under re-by customers, taking into sourced to carry out theiraccount a variety of factors function appropriately.including, but not limitedto, company structures; po-litical connections; countryrisk; the customer’s reputa-tion; source of wealth/funds; expected account ac-tivity; sector risk; and in-volvement in publiccontracts.

• Risk assessment policies • Failing to risk assess cus-which reflect the bank’s risk tomers until shortly beforeassessment procedures and an FCA visit.risk appetite.


12

12.3.4


• Clear understanding and • Allowing RMs to overrideawareness of risk assess- customer risk scores with-ment policies, procedures, out sufficient evidence tosystems and controls support their decision.among relevant staff.

• Quality assurance work to • Inappropriate customer clas-ensure risk assessment pol- sification systems whichicies, procedures, systems make it almost impossibleand controls are working ef- for a customer to be classi-fectively in practice. fied as high risk.

• Appropriately-weightedscores for risk factors whichfeed in to the overall cus-tomer risk assessment.

• A clear audit trail to showwhy customers are rated ashigh, medium or low risk.

High risk customers and PEPs – Customer take-on


• Ensuring files contain a cus- • Failing to give due consid-tomer overview covering eration to certain politicalrisk assessment, documenta- connections which fall out-tion, verification, expected side the Money Launderingaccount activity, profile of Regulations 2007 definitioncustomer or business rela- of a PEP (eg wider family)tionship and ultimate bene- which might mean that cer-ficial owner. tain customers still need to

be treated as high risk andsubject to enhanced duediligence.

• The MLRO (and their team) • Poor quality, incomplete orhave adequate oversight of inconsistent CDD.all high-risk relationships.

• Clear processes for escalat- • Relying on Group introduc-ing the approval of high tions where overseas stand-risk and all PEP customer re- ards are not UK-equivalentlationships to senior man- or where CDD is inaccess-agement or committees ible due to legal con-which consider AML risk straints.and give appropriate chal-lenge to RMs and thebusiness.

• Using, where available, • Inadequate analysis andlocal knowledge and open challenge of informationsource internet checks to found in documentssupplement commercially gathered for CDD purposes.available databases whenresearching potential highrisk customers includingPEPs.

• Having clear risk-based pol- • Lacking evidence of formalicies and procedures setting sign-off and approval byout the EDD required for senior management ofhigher risk and PEP cus- high-risk and PEP customers


12


tomers, particularly in rela- and failure to document ap-tion to source of wealth. propriately why the cus-

tomer was within AML riskappetite.

• Effective challenge of RMs • Failing to record ad-and business units by equately face-to-face meet-banks’ AML and compli- ings that form part of CDD.ance teams, and seniormanagement.

• Reward structures for RMs • Failing to carry out EDD forwhich take into account high risk/PEP customers.good AML/compliance prac-tice rather than simply theamount of profitgenerated.

• Clearly establishing and • Failing to conduct adequatedocumenting PEP and CDD before customer rela-other high-risk customers’ tionships are approved.source of wealth.

• Where money laundering • Over-reliance on undocu-risk is very high, supple- mented ‘staff knowledge’menting CDD with inde- during the CDD process.pendent intelligence re-ports and fully exploringand reviewing any credibleallegations of criminal con-duct by the customer.

• Understanding and docu- • Granting waivers from es-menting complex or tablishing a customer’sopaque ownership and cor- source of funds, source ofporate structures and the wealth and other CDD with-reasons for them. out good reason.

• Face-to-face meetings and • Discouraging business unitsdiscussions with high-risk from carrying out adequateand PEP prospects before CDD, for example by char-accepting them as a ging them for intelligencecustomer. reports.

• Making clear judgements • Failing to carry out CDD onon money-laundering risk customers because theywhich are not compromised were referred by seniorby the potential profitabil- managers.ity of new or existing rela-tionships.

• Recognising and mitigating • Failing to ensure CDD forthe risk arising from RMs high-risk and PEP customersbecoming too close to cus- is kept up-to-date in linetomers and conflicts of in- with current standards.terest arising from RMs’ re-muneration structures.

• Allowing ‘cultural difficult-ies’ to get in the way ofproper questioning to es-tablish required CDDrecords.

• Holding information aboutcustomers of their UK op-erations in foreign coun-tries with banking secrecy


12

12.3.5


laws if, as a result the firm’sability to access or shareCDD is restricted.

• Allowing accounts to beused for purposes inconsist-ent with the expected activ-ity on the account (e.g. per-sonal accounts being usedfor business) withoutenquiry.

• Insufficient information onsource of wealth with littleor no evidence to verifythat the wealth is notlinked to crime orcorruption.

• Failing to distinguish be-tween source of funds andsource of wealth.

• Relying exclusively on com-mercially-available PEPdatabases and failure tomake use of available opensource information on arisk-based approach.

• Failing to understand thereasons for complex andopaque offshore companystructures.

• Failing to ensure papersconsidered by approvalcommittees present a bal-anced view of money laun-dering risk.

• No formal procedure for es-calating prospective cus-tomers to committees andsenior management on arisk based approach.

• Failing to take account ofcredible allegations of crim-inal activity from reputablesources.

• Concluding that adverse al-legations against customerscan be disregarded simplybecause they hold an invest-ment visa.

• Accepting regulatory and/orreputational risk wherethere is a high risk ofmoney laundering.

High risk customers and PEPs – Enhanced monitoring of high riskrelationships



12


• Transaction monitoring • Failing to carry out regularwhich takes account of up- reviews of high-risk andto-date CDD information in- PEP customers in order tocluding expected activity, update CDD.source of wealth andsource of funds.

• Regularly reviewing PEP re- • Reviews carried out by RMslationships at a senior level with no independent assess-based on a full and bal- ment by money launderinganced assessment of the or compliance professionalssource of wealth of the of the quality or validity ofPEP. the review.

• Monitoring new clients • Failing to disclose suspi-more closely to confirm or cious transactions to SOCA.amend the expected ac-count activity.

• A risk-based framework for • No formal procedure for es-assessing the necessary fre- calating prospective cus-quency of relationship re- tomers to committees andviews and the degree of senior management on ascrutiny required for trans- risk based approach.action monitoring.

• Proactively following up • Failing to seek consentgaps in, and updating, CDD from SOCA on suspiciousduring the course of a rela- transactions before pro-tionship. cessing them.

• Ensuring transaction mon- • Unwarranted delay be-itoring systems are tween identifying suspi-properly calibrated to cious transactions and dis-identify higher risk transac- closure to SOCA.tions and reduce falsepositives.

• Keeping good records and • Treating annual reviews asa clear audit trail of in- a tick-box exercise andternal suspicion reports copying information fromsent to the MLRO, whether the previous review.or not they are finally dis-closed to SOCA.

• A good knowledge among • Annual reviews which failkey AML staff of a bank’s to assess AML risk and in-highest risk/PEP customers. stead focus on business

issues such as sales or debtrepayment.

• More senior involvement in • Failing to apply enhancedresolving alerts raised for ongoing monitoring tech-transactions on higher risk niques to high-risk clientsor PEP customer accounts, and PEPs.including ensuring ad-equate explanation and,where necessary, corrobora-tion of unusual transac-tions from RMs and/orcustomers.

• Global consistency when • Failing to update CDDdeciding whether to keep based on actual transac-or exit relationships with tional experience.high-risk customers andPEPs.


12

12.3.6


• Assessing RMs’ perform- • Allowing junior or inexperi-ance on ongoing mon- enced staff to play a keyitoring and feeding this role in ongoing monitoringinto their annual perform- of high-risk and PEPance assessment and pay customers.review.

• Lower transaction mon- • Failing to apply sufficientitoring alert thresholds for challenge to explanationshigher risk customers. from RMs and customers

about unusual transactions.

• RMs failing to providetimely responses to alertsraised on transaction mon-itoring systems.

Correspondent banking – Risk assessment of respondent banks


• Regular assessments of cor- • Failing to consider therespondent banking risks money-laundering risks oftaking into account various correspondent rela-money laundering risk fac- tionships.tors such as the country(and its AML regime); own-ership/management struc-ture (including the possibleimpact/influence that ulti-mate beneficial ownerswith political connectionsmay have); products/opera-tions; transaction volumes;market segments; the qual-ity of the respondent’sAML systems and controlsand any adverse informa-tion known about the re-spondent.

• More robust monitoring of • Inadequate or no docu-respondents identified as mented policies and pro-presenting a higher risk. cedures setting out how to

deal with respondents.

• Risk scores that drive the • Applying a ‘one size fitsfrequency of relationship all’ approach to due dili-reviews. gence with no assessment

of the risks of doing busi-ness with respondents loc-ated in higher riskcountries.

• Taking into consideration • Failing to prioritise higherpublicly available informa- risk customers and transac-tion from national govern- tions for review.ment bodies and non-gov-ernmental organisationsand other credible sources.

• Failing to take into ac-count high-risk businesstypes such as money ser-


12

12.3.7


vice businesses and off-shore banks.

Correspondent banking – Customer take-on


• Assigning clear responsibil- • Inadequate CDD on parentity for the CDD process banks and/or group affili-and the gathering of relev- ates, particularly if the re-ant documentation. spondent is based in a

high-risk jurisdiction.

• EDD for respondents that • Collecting CDD informa-present greater risks or tion but failing to assesswhere there is less publicly the risks.available informationabout the respondent.

• Gathering enough informa- • Applying a ‘one size fitstion to understand client all’ approach to due dili-details; ownership and gence with no assessmentmanagement; products of the risks of doing busi-and offerings; transaction ness with respondents loc-volumes and values; client ated in higher riskmarket segments; client re- countries.putation; as well as theAML control environment.

• Screening the names of • Failing to follow up on out-senior managers, owners standing information thatand controllers of respond- has been requested duringent banks to identify PEPs the CDD process.and assessing the risk thatidentified PEPs pose.

• Independent quality assur- • Failing to follow up onance work to ensure that issues identified during theCDD standards are up to re- CDD process.quired standards consist-ently across the bank.

• Discussing with overseas • Relying on parent banks toregulators and other relev- conduct CDD for a corres-ant bodies about the AML pondent account and tak-regime in a respondent’s ing no steps to ensure thishome country. has been done.

• Gathering enough informa- • Collecting AML policies etction to understand client but making no effort to as-details; ownership and sess them.management; productsand offerings; transactionvolumes and values; clientmarket segments; client re-putation; as well as theAML control environment.

• Visiting, or otherwise liais- • Having no information oning with, respondent banks file for expected activityto discuss AML issues and volumes and values.gather CDD information.

• Gathering information • Failing to consider adverseabout procedures at re- information about the re-


12

12.3.8


spondent firms for sanc- spondent or individualstions screening and identi- connected with it.fying/managing PEPs.

• Understanding respond- • No senior management in-ents’ processes for mon- volvement in the approvalitoring account activity and process for new corres-reporting suspicious pondent bank relationshipsactivity. or existing relationships be-

ing reviewed.

• Requesting details of howrespondents manage theirown correspondent bank-ing relationships.

• Senior management/seniorcommittee sign-off fornew correspondent bank-ing relationships and re-views of existing ones.

Correspondent banking –Ongoing monitoring of respondent accounts


• Review periods driven by • Copying periodic reviewthe risk rating of a particu- forms year after year with-lar relationship; with high out challenge from seniorrisk relationships reviewed management.more frequently.

• Obtaining an updated pic- • Failing to take account ofture of the purpose of the any changes to key staff ataccount and expected respondent banks.activity.

• Updating screening of re- • Carrying out annual re-spondents and connected views of respondent rela-individuals to identify indi- tionships but failing to con-viduals/entities with PEP sider money-launderingconnections or on relevant risk adequately.sanctions lists.

• Involving senior manage- • Failing to assess new in-ment and AML staff in re- formation gathered duringviews of respondent rela- ongoing monitoring of a re-tionships and considera- lationship.tion of whether to main-tain or exit high-riskrelationships.

• Where appropriate, using • Failing to consider moneyintelligence reports to help laundering alerts gener-decide whether to main- ated since the last review.tain or exit a relationship.

• Carrying out ad-hoc re- • Relying on parent banks toviews in light of material carry out monitoring of re-changes to the risk profile spondents without under-of a customer. standing what monitoring

has been done or what themonitoring found.

• Failing to take action whenrespondents do not providesatisfactory answers to reas-


12

12.3.9

12.3.10


onable questions regardingactivity on their account.

• Focusing too much on repu-tational or business issueswhen deciding whether toexit relationships with re-spondents which give riseto high money-launderingrisk.

Wire transfers – Paying banks


• Banks’ core banking sys- • Paying banks take insuffi-tems ensure that all static cient steps to ensure thatdata (name, address, ac- all outgoing MT103s con-count number) held on the tain sufficient beneficiaryordering customer are information to mitigate theautomatically inserted in risk of customer funds be-the correct lines of the out- ing incorrectly blocked, de-going MT103 payment in- layed or rejected.struction and any matchingMT202COV.

Wire transfers – Intermediary banks


• Where practical, intermedi- • Banks have no proceduresary and beneficiary banks in place to detect incomingdelay processing payments payments containing mean-until they receive complete ingless or inadequate payerand meaningful informa- information, which could al-tion on the ordering low payments in breach ofcustomer. sanctions to slip through

unnoticed.

• Intermediary and benefi-ciary banks have systemsthat generate an automaticinvestigation every time aMT103 appears to containinadequate payer in-formation.

• Following processing, risk-based sampling for inwardpayments identifies inad-equate payer information.

• Search for phrases in pay-ment messages such as‘one of our clients’ or ‘ourvalued customer’ in all themain languages which mayindicate a bank or cus-tomer trying to concealtheir identity.


12

12.3.11

12.3.12


Wire transfers – Beneficiary banks


• Establishing a specialist • Insufficient processes toteam to undertake risk- identify payments with in-based sampling of incom- complete or meaninglessing customer payments, payer information.with subsequent detailedanalysis to identify banksinitiating cross-border pay-ments containing inad-equate or meaninglesspayer information.

• Actively engaging in dia-logue with peers about thedifficult issue of taking ap-propriate action againstpersistently offendingbanks.

Wire transfers – Implementation of SWIFT MT202COV


• Reviewing all correspond- • Continuing to use theent banks’ use of the MT202 for all bank-to-bankMT202 and MT202COV. payments, even if the pay-

ment is cover for an under-lying customer transaction.

• Introducing theMT202COV as an addi-tional element of the CDDreview process includingwhether the local regu-lator expects proper use ofthe new message type.

• Always sending an MT103and matching MT202COVwherever the sendingbank has a correspondentrelationship and is not in aposition to ‘self clear’ (egfor Euro payments withina scheme of which thebank is a member).

• Searching relevant fields inMT202 messages for theword ‘cover’ to detectwhen the MT202COV isnot being used as it shouldbe.


Chapter 13

Anti-bribery and corruptionsystems and controls in

investment banks (2012)


FCTR 13 : Anti-bribery and Section 13.1 : Introductioncorruption systems and controlsin investment banks (2012)

13

13.1.1

13.1.2

13.1.3

13.1.4


13.1 Introduction

Who should read this chapter? This chapter is relevant, and its statements ofgood and poor practice apply to:

•investment banks and firms carrying on investment banking orsimilar activities in the UK;

•all other firms who are subject to our financial crime rules in■ SYSC 3.2.6R or ■ 6.1.1R; and

•electronic money institutions and payment institutions within oursupervisory scope.

■ FCTR 13.3.5G and ■ FCTR 13.3.6G only apply to firms or institutions who usethird parties to win business.

In March 2012, the FSA published the findings of its review of investmentbanks’ anti-bribery and corruption systems and controls. The FSA visited 15investment banks and firms carrying on investment banking or similaractivities in the UK to assess how they were managing bribery andcorruption risk. Although this report focused on investment banking, itsfindings are relevant to other sectors.

The FSA found that although some investment banks had completed a greatdeal of work to implement effective anti-bribery and corruption controls inthe months preceding its visit, the majority of them had more work to doand some firms’ systems and controls fell short of its regulatoryrequirements. Weaknesses related in particular to: many firms’ limitedunderstanding of the applicable legal and regulatory regimes, incomplete orinadequate bribery and corruption risk assessments; lack of seniormanagement oversight; and failure to monitor the effective implementationof, and compliance with, anti-bribery and corruption policies and procedures.

The contents of this report are reflected in ■ FCG 6 (Bribery and corruption).

FCTR 13 : Anti-bribery and Section 13.2 : The FSA’s findingscorruption systems and controlsin investment banks (2012)

13

13.2.1



You can read the findings of the FSA’s thematic review here: http://www.fsa.gov.uk/pubs/other/anti-bribery-investment-banks.pdf

http://www.fsa.gov.uk/pubs/other/anti-bribery-investment-banks.pdf

http://www.fsa.gov.uk/pubs/other/anti-bribery-investment-banks.pdf

FCTR 13 : Anti-bribery and Section 13.3 : Consolidated examples ofcorruption systems and controls good and poor practicein investment banks (2012)

13

13.3.1

13.3.2




Governance and management information (MI)


• Clear, documented respons- • Failing to establish an ef-ibility for anti-bribery and fective governance frame-corruption apportioned to work to address briberyeither a single senior man- and corruption risk.ager or a committee withappropriate terms of refer-ence and senior manage-ment membership, re-porting ultimately to theBoard.

• Regular and substantive MI • Failing to allocate respons-to the Board and other rel- ibility for anti-bribery andevant senior management corruption to a singleforums, including: an over- senior manager or an ap-view of the bribery and cor- propriately formedruption risks faced by the committee.business; systems and con-trols to mitigate those risks;information about the ef-fectiveness of those systemsand controls; and legal andregulatory developments.

• Where relevant, MI includes • Little or no MI sent to theinformation about third par- Board about bribery andties, including (but not lim- corruption issues, includingited to) new third-party ac- legislative or regulatory de-counts, their risk classifica- velopments, emerging riskstion, higher risk third-party and higher risk third-partypayments for the preceding relationships or payments.period, changes to third-party bank account details


13

13.3.3


and unusually high commis-sion paid to third parties.

• Considering the risk posedby former PEPs and ‘do-mestic PEPs’ on a case-by-case basis.

• Actions taken or proposedin response to issues high-lighted by MI are minutedand acted on appropriately.

Assessing bribery and corruption risk


• Responsibility for carrying • The risk assessment is aout a risk assessment and one-off exercise.keeping it up-to-date is cle-arly apportioned to an indi-vidual or a group of indi-viduals with sufficient levelsof expertise and seniority.

• The firm takes adequate • Efforts to understand thesteps to identify the bribery risk assessment are piece-and corruption risk. Where meal and lack coor-internal knowledge and un- dination.derstanding of corruptionrisk is limited, the firm sup-plements this with externalexpertise.

• Risk assessment is a continu- • Risk assessments are incom-ous process based on qualit- plete and too generic.ative and relevant informa-tion available from internaland external sources.

• Firms consider the potential • Firms do not satisfy them-conflicts of interest which selves that staff involved inmight lead business units to risk assessment are suffi-downplay the level of ciently aware of, or sen-bribery and corruption risk sitised to, bribery and cor-to which they are exposed. ruption issues.

• The bribery and corruptionrisk assessment informs thedevelopment of monitoringprogrammes; policies andprocedures; training; and op-erational processes.

• The risk assessment demon-strates an awareness and un-derstanding of firms’ legaland regulatory obligations.

• The firm assesses where risksare greater and concen-trates its resources ac-cordingly.

• The firm considers financialcrime risk when designingnew products and services.


13

13.3.4

13.3.5




• The firm clearly sets out the • The firm has no method inbehaviour expected of place to monitor and as-those acting on its behalf. sess staff compliance with

anti-bribery and corruptionpolicies and procedures.

• Firms have conducted a gap • Staff responsible for theanalysis of existing bribery implementation and mon-and corruption procedures itoring of anti-bribery andagainst applicable legisla- corruption policies and pro-tion, regulations and guid- cedures have inadequateance and made necessary expertise on bribery andenhancements. corruption.

• The firm has a defined pro-cess in place for dealingwith breaches of policy.

• The team responsible for en-suring the firm’s compliancewith its anti-bribery and cor-ruption obligations engageswith the business unitsabout the development andimplementation of anti-bribery and corruption sys-tems and controls.

• anti-bribery and corruptionpolicies and procedures willvary depending on a firm’sexposure to bribery and cor-ruption risk. But in mostcases, firms should have pol-icies and procedures whichcover expected standards ofbehaviour; escalation pro-cesses; conflicts of interest;expenses, gifts and hospital-ity; the use of third partiesto win business;whistleblowing; monitoringand review mechanisms;and disciplinary sanctionsfor breaches. These policiesneed not be in a single‘ABC policy’ document andmay be contained in separ-ate policies.

• There should be an effect-ive mechanism for re-porting issues to the teamor committee responsiblefor ensuring compliancewith the firm’s anti-briberyand corruption obligations.

Third-party relationships and due diligence



13


• Where third parties are • A firm using intermediar-used to generate business, ies fails to satisfy itselfthese relationships are sub- that those businesses haveject to thorough due dili- adequate controls to de-gence and management tect and prevent staff us-oversight. ing bribery or corruption

to generate business.

• Third-party relationships • The firm fails to establishare reviewed regularly and and record an adequatein sufficient detail to con- commercial rationale forfirm that they are still using the services of thirdnecessary and appropriate parties.to continue.

• There are higher, or extra, • The firm is unable to pro-levels of due diligence and duce a list of approvedapproval for high risk third parties, associatedthird-party relationships. due diligence and details

of payments made tothem.

• There is appropriate • There is no checking ofscrutiny of, and approval compliance’s operationalfor, relationships with third role in approving newparties that introduce busi- third-party relationshipsness to the firm. and accounts.

• The firm’s compliance func- • A firm assumes that long-tion has oversight of all standing third-party rela-third-party relationships tionships present noand monitors this list to bribery or corruption risk.identify risk indicators, eg athird party’s political orpublic service connections.

• Evidence that a risk-based • A firm relies exclusively onapproach has been ad- informal means, such asopted to identify higher staff’s personal know-risk relationships in order ledge, to assess theto apply enhanced due bribery and corruption riskdiligence. associated with third

parties.

• Enhanced due diligence • No prescribed take-on pro-procedures include a re- cess for new third-party re-view of the third party’s lationships.own anti-bribery and cor-ruption controls.

• Consideration, where ap- • A firm does not keep fullpropriate, of compliance in- records of due diligencevolvement in interviewing on third parties and can-consultants and the provi- not evidence that it hassion of anti-bribery and cor- considered the bribery andruption training to con- corruption risk associatedsultants. with a third-party rela-

tionship.

• Inclusion of anti-bribery • The firm cannot provideand corruption-specific evidence of appropriateclauses and appropriate checks to identify whetherprotections in contracts introducers and consult-with third parties. ants are PEPs.

• Failure to demonstratethat due diligence in-formation in another lan-


13

13.3.6

13.3.7


guage has been under-stood by the firm.

Payment controls


• Ensuring adequate due dili- • Failing to check whethergence on and approval of third parties to whom pay-third-party relationships be- ments are due have beenfore payments are made to subject to appropriate duethe third party. diligence and approval.

• Risk-based approval proced- • Failing to produce regularures for payments and a third-party payment sched-clear understanding of the ules for review.reason for all payments.

• Checking third-party pay- • Failing to check thor-ments individually prior to oughly the nature, reason-approval, to ensure consist- ableness and appropri-ency with the business case ateness of gifts and hos-for that account. pitality.

• Regular and thorough mon- • No absolute limits on dif-itoring of third-party pay- ferent types of expendit-ments to check, for ex- ure, combined with inad-ample, whether a payment equate scrutiny during theis unusual in the context of approvals process.previous similar payments.

• A healthily sceptical ap-proach to approving third-party payments.

• Adequate due diligence onnew suppliers being addedto the Accounts Payablesystem.

• Clear limits on staff expend-iture, which are fully docu-mented, communicated tostaff and enforced.

• Limiting third-party pay-ments from Accounts Pay-able to reimbursements ofgenuine business-relatedcosts or reasonable hos-pitality.

• Ensuring the reasons forthird-party payments viaAccounts Payable are cle-arly documented and ap-propriately approved.

• The facility to produce ac-curate MI to assist effectivepayment monitoring.

Gifts and hospitality (G&H)



1313.3.8


• Policies and procedures cle- • Senior management doarly define the approval not set a good example toprocess and the limits ap- staff on G&H policies.plicable to G&H.

• Processes for filtering G&H • Acceptable limits and theby employee, client and approval process are nottype of hospitality for defined.analysis.

• Processes to identify un- • The G&H policy is not keptusual or unauthorised G&H up-to-date.and deviations from ap-proval limits for G&H.

• Staff are trained on G&H • G&H and levels of staffpolicies to an extent appro- compliance with relatedpriate to their role, in policies are not monitored.terms of both content andfrequency, and regularly re-minded to disclose G&H inline with policy.

• Cash or cash-equivalent • No steps are taken togifts are prohibited. minimise the risk of gifts

going unrecorded.

• Political and charitable do- • Failure to record a clear ra-nations are approved at an tionale for approving giftsappropriate level, with in- that fall outside setput from the appropriate thresholds.control function, and sub-ject to appropriate duediligence.

• Failure to check whethercharities being donated toare linked to relevant polit-ical or administrative de-cision-makers.



• Vetting staff on a risk- • Failing to carry out ongo-based approach, taking ing checks to identifyinto account financial changes that could affectcrime risk. an individual’s integrity

and suitability.

• Enhanced vetting – includ- • No risk-based processes foring checks of credit re- identifying staff who arecords, criminal records, fin- PEPs or otherwise con-ancial sanctions lists, com- nected to relevant politicalmercially-available intelli- or administrative decision-gence databases – for staff makers.in roles with higher briberyand corruption risk.

• Conducting periodic checks • Where employment agen-to ensure that agencies are cies are used to recruit


13

13.3.9

13.3.10

13.3.11


complying with agreed vet- staff, failing to demon-ting standards. strate a clear understand-

ing of the checks theseagencies carry out on pro-spective staff.

• Temporary or contractstaff receiving less rigorousvetting than permanentlyemployed colleagues carry-ing out similar roles.



• Providing good quality, • Failing to provide trainingstandard training on anti- on ABC that is targeted atbribery and corruption for staff with greater exposureall staff. to bribery and corruption

risks.

• Ensuring training covers rel- • Failing to monitor andevant and practical measure the quality and ef-examples. fectiveness of training.

• Keeping training materialand staff knowledge up-to-date.

• Awareness-raising initiat-ives, such as special cam-paigns and events to sup-port routine training, areorganised.

Remuneration structures


• Remuneration takes ac- • Failing to reflect poor staffcount of good compliance compliance with anti-behaviour, not simply the bribery and corruption pol-amount of business icy and procedures in staffgenerated. appraisals and remu-

neration.

• Identifying higher-risk func-tions from a bribery andcorruption perspective andreviewing remunerationstructures to ensure theydo not encourage unac-ceptable risk taking.

Incident reporting and management



13


• Clear procedures for • Failing to maintain properwhistleblowing and the re- records of incidents andporting of suspicions, complaints.which are communicatedto staff.

• Details about whistleblow-ing hotlines are visible andaccessible to staff.

• Where whistleblowing hot-lines are not provided,firms should consider meas-ures to allow staff to raiseconcerns in confidence or,where possible, anonym-ously, with adequate levelsof protection and commun-icate this clearly to staff.

• Firms use informationgathered fromwhistleblowing and in-ternal complaints to assessthe effectiveness of theiranti-bribery and corruptionpolicies and procedures.


13



Chapter 14

Banks’ defences againstinvestment fraud (2012)


FCTR 14 : Banks’ defences Section 14.1 : Introductionagainst investment fraud (2012)

14

14.1.1

14.1.2

14.1.3

14.1.4


14.1 Introduction

Who should read this chapter? This chapter is relevant, and its statements ofgood and poor practice apply, to deposit-taking institutions with retailcustomers.

The FSA’s thematic review, Bank’s defences against investment fraud,published in June 2012, set out the findings of its visits to seven retail banksand one building society to assess the systems and controls in place tocontain the risks posed by investment fraudsters.

UK consumers are targeted by share-sale frauds and other scams includingland-banking frauds, unauthorised collective investment schemes and Ponzischemes. Customers of UK deposit-takers may fall victim to these frauds, orbe complicit in them.

The contents of this report are reflected in ■ FCG 4.2.5G).

FCTR 14 : Banks’ defences Section 14.2 : The FSA’s findingsagainst investment fraud (2012)

14

14.2.1



You can read the findings of the FSA’s thematic review here: http://www.fsa.gov.uk/static/pubs/other/banks-defences-against-investment-fraud.pdf

http://www.fsa.gov.uk/static/pubs/other/banks-defences-against-investment-fraud.pdf



FCTR 14 : Banks’ defences Section 14.3 : Consolidated examples ofagainst investment fraud (2012) good and poor practice

14

14.3.1

14.3.2




Governance


• A bank can demonstrate • A bank lacks a clear struc-senior management owner- ture for the governance ofship and understanding of investment fraud or for es-fraud affecting customers, calating issues relating toincluding investment fraud. investment fraud. Respect-

ive responsibilities are notclear.

• There is a clear organis- • A bank lacks a clear ration-ational structure for ad- ale for allocating resourcesdressing the risk to cus- to protecting customerstomers and the bank aris- from investment fraud.ing from fraud, including in-vestment fraud. There isevidence of appropriate in-formation moving acrossthis governance structurethat demonstrates its effect-iveness in use.

• A bank has recognised sub- • A bank lacks documentedject matter experts on in- policies and procedures re-vestment fraud supporting lating to investment fraud.or leading the investigationprocess.

• A bank seeks to measure its • There is a lack of commun-performance in preventing ication between a bank’sdetriment to customers. AML and fraud teams on

investment fraud.

• When assessing the case formeasures to prevent finan-cial crime, a bank considersbenefits to customers, aswell as the financial impacton the bank.


14

14.3.3

14.3.4


Risk assessment


• A bank regularly assesses • A bank has performed nothe risk to itself and its cus- risk assessment that con-tomers of losses from siders the risk to customersfraud, including investment from investment fraud.fraud, in accordance withtheir established risk man-agement framework. Therisk assessment does notonly cover situations wherethe bank could sufferlosses, but also where cus-tomers could lose and notbe reimbursed by the bank.Resource allocation andmitigation measures arealso informed by this as-sessment.

• A bank performs ‘horizon • A bank’s regulatory compli-scanning’ work to identify ance, risk managementchanges in the fraud types and internal audit func-relevant to the bank and tions’ assurance activitiesits customers. do not effectively chal-

lenge the risk assessmentframework.

Detecting perpetrators


• A bank’s procedures for • A bank only performs theopening commercial ac- customer risk assessmentcounts include an assess- at account set up and doesment of the risk of the cus- not update this throughtomer, based on the pro- the course of the rela-posed business type, loca- tionship.tion and structure.

• Account opening informa- • A bank does not use ac-tion is used to categorise a count set up informationcustomer relationship ac- (such as anticipated turn-cording to its risk. The over) in transactionbank then applies differ- monitoring.ent levels of transactionmonitoring based on thisassessment.

• A bank screens new cus- • A bank allocates excessivetomers to prevent the numbers of commercial ac-take-on of possible invest- counts to a staff memberment fraud perpetrators. to monitor, rendering the

ongoing monitoring in-effective.

• A bank allocates responsib-ility for the ongoing mon-itoring of the customer tocustomer-facing staff withmany other conflicting re-sponsibilities.


14

14.3.5

14.3.6


Automated monitoring


• A bank undertakes real- • A bank fails to use in-time payment screening formation about knownagainst data about invest- or suspected perpetratorsment fraud from credible of investment fraud in itssources. financial crime prevention

systems.

• There is clear governance • A bank does not considerof real time payment investment fraud in the de-screening. The quality of velopment of monitoringalerts (rather than simply rules.the volume of false posit-ives) is actively considered.

• Investment fraud subject • The design of rules cannotmatter experts are in- be amended to reflect thevolved in the setting of changing nature of themonitoring rules. risk being monitored.

• Automated monitoringprogrammes reflect in-sights from risk assess-ments or vulnerable cus-tomer initiatives.

• A bank has monitoringrules designed to detectspecific types of invest-ment fraud e.g. boilerroom fraud.

• A bank reviews accountsafter risk triggers aretripped (such as the raisingof a SAR) in a timelyfashion.

• When alerts are raised, abank checks against ac-count-opening informationto identify any inconsisten-cies with expectations.

Protecting victims


• A bank contacts customers • Communication with cus-in the event they suspect a tomers on fraud justpayment is being made to covers types of fraud foran investment fraudster. which the bank may be fin-

ancially liable, rather thanfraud the customer mightbe exposed to.

• A bank places material on • A bank has no material oninvestment fraud on its investment fraud on itswebsite. website.

• A bank adopts alternative • Failing to contact cus-customer awareness ap- tomers they suspect areproaches, such as mailing making payments to in-


14

14.3.7

14.3.8

14.3.9


customers and branch vestment fraudsters onawareness initiatives. grounds that this consti-

tutes ‘investment advice’.

• Work to detect and pre-vent investment fraud is in-tegrated with a bank’s vul-nerable customersinitiative.

Management reporting and escalation of suspicions


• A specific team focuses on • There is little reporting toinvestigating the perpet- senior management onrators of investment fraud. the extent of investment

fraud (whether victims orperpetrators) in a bank’scustomer base.

• A bank’s fraud statistics in- • A bank is unable to accessclude figures for losses information on how manyknown or suspected to of the bank’s customershave been incurred by have become the victimscustomers. of investment fraud.

Staff awareness


• Making good use of in- • Training material onlyternal experience of invest- covers boiler rooms.ment fraud to provide richand engaging trainingmaterial.

• A wide-range of materials • A bank’s training materialare available that cover in- is out-of-date.vestment fraud.

• Awards are given on occa-sion to frontline staffwhen a noteworthy fraudis identified.

• Training material istailored to the experienceof specific areas such asbranch and relationshipmanagement teams.

Use of industry intelligence


• A bank participates in • A bank fails to act on ac-cross-industry forums on tionable, credible intelli-fraud and boiler rooms gence shared at industryand makes active use of in- forums or received fromtelligence gained from other authoritative sources


14


these initiatives in, for ex- such as the FCA or City ofample, its transaction mon- London Police.itoring and screeningefforts.

• A bank takes measures toidentify new fraud typo-logies. It joins-up internalintelligence, external intel-ligence, its own risk assess-ment and measures to ad-dress this risk.


Chapter 15

Banks’ control of financialcrime risks in trade finance

(2013)


FCTR 15 : Banks’ control of Section 15.1 : Introductionfinancial crime risks in tradefinance (2013)

15

15.1.1

15.1.2

15.1.3

15.1.4


15.1 Introduction

Who should read this chapter? This chapter is relevant, and its statements ofgood and poor practice apply, to banks carrying out trade finance business.

In July 2013, the FCA published the findings of our review of banks’ controlof financial crime risks in trade finance. We visited 17 commercial banks toassess the systems and controls they had in place to contain the risks ofmoney laundering, terrorist financing and sanctions breaches in tradefinance operations. Our review only considered Documentary Letters ofCredit (LCs) and Documentary Bills for Collection (BCs).

We found that banks generally had effective controls to ensure they werenot dealing with sanctioned individuals or entities. But most banks hadinadequate systems and controls over dual-use goods and their anti-moneylaundering policies and procedures were often weak.

The following examples of good and poor practice should be read inconjunction with FCG. FCG provides more general guidance, including onAML and sanctions systems and controls, that can be relevant in the contextof banks’ trade finance business. Not all examples of good and poor practicewill be relevant to all banks that carry out trade finance business and banksshould consider them in a risk-based and proportionate way.

FCTR 15 : Banks’ control of Section 15.2 : The FCA’sfinancial crime risks in tradefinance (2013)

15

15.2.1


15.2 The FCA’s findings

You can read the findings of the FCA’s thematic review here: http://www.fca.org.uk/static/documents/thematic-reviews/tr-13-03.pdf

http://www.fca.org.uk/static/documents/thematic-reviews/tr-13-03.pdf

http://www.fca.org.uk/static/documents/thematic-reviews/tr-13-03.pdf

FCTR 15 : Banks’ control of Section 15.3 : 15.3Consolidated examples offinancial crime risks in trade good and poor practicefinance (2013)

15

15.3.1

15.3.2


15.3 15.3Consolidated examples ofgood and poor practice

Governance and MI


• Roles and responsibilities • Failure to produce manage-for managing financial ment information on finan-crime risks in trade finance cial crime risk in tradeare clear and documented. finance.

• The bank ensures that staff • Internal audit fails to con-have the opportunity to sider financial crime con-share knowledge and in- trols in trade finance.formation about financialcrime risk in trade finance,for example by holdingregular teleconferenceswith key trade finance staffor by including trade fin-ance financial crime risk asan agenda item in relevantforums.

• The culture of a bank doesnot encourage the sharingof information relevant tomanaging financial crimerisk in trade finance.

Risk assessment


• The bank assesses and docu- • Failure to update risk as-ments both money laun- sessments and keep themdering and sanctions risk in under regular review tothe bank’s trade finance take account of emergingbusiness. This assessment is risks in trade finance.tailored to the bank’s rolein trade transactions andcan form part of the bank’swider financial crime risk as-sessment.

• Only focusing on creditand reputational risk intrade finance.

• Not taking account of a cus-tomer’s use of the bank’strade finance products and


15

15.3.3

15.3.4


services in a financial crimerisk assessment.



• Staff are required to con- • Staff are not required tosider financial crime risks consider trade specificspecific to trade finance money laundering riskstransactions and identify (eg, FATF/Wolfsberg redthe customers and transac- flags).tions that present the high-est risk at various stages ofa transaction.

• Staff identify key parties to • Procedures do not take ac-a transaction and screen count of money launderingthem against sanctions risks and are focused onlists. Key parties include credit and operationalthe instructing party, but risks.may include other partieson a risk-sensitive basis.

• The bank provides guid- • No clear escalation proced-ance on recognising red ures for high-riskflags in trade finance transactions.transactions.

• Procedures fail to take ac-count of the parties in-volved in a transaction, thecountries where they arebased and the nature ofthe good involved.

Due diligence


• Banks’ written procedures • Trade processing teams doare clear about what due not make adequate use ofdiligence checks are neces- the significant knowledgesary on the instructing par- of customers’ activity pos-ties. They take account of sessed by relationship man-the bank’s role in a transac- agers or trade sales teamstion, and when it is appro- when considering the fin-priate to apply due dili- ancial crime risk in particu-gence checks to others, in- lar transactions.cluding non-client benefi-ciaries (or recipients) of anLC or BC.

• Lack of appropriate dia-logue between CDD teamsand trade processing te-ams whenever potentialfinancial crime issues arisefrom the processing of atrade finance transaction.


15

15.3.5

15.3.6




• Tailored training is given • Only providing genericthat raises staff awareness training that does notand understanding of take account of trade-spe-trade-specific money laun- cific AML risks (eg FATF/dering, sanctions and ter- Wolfsberg red flags).rorist financing risks.

• Relevant industry publica- • Failure to roll out tradetions are used to raise specific financial crimeawareness of emerging training to all relevantrisks. staff engaged in trade fin-

ance activity, whereverlocated.

• Processing staff are • Reliance on ‘experienced’trained to look for suspi- trade processing staff whocious variances in the pri- have received no specificcing of comparable or ana- training on financial crimelogous transactions. risk.

AML procedures


• A formal consideration of • Failure to assess transac-money laundering risk is tions for money laun-written into the operating dering risk.procedures governing LCsand BCs.

• The money laundering risk • Reliance on customer duein each transaction is con- diligence proceduressidered and evidence of alone to mitigate the riskthe assessment made is of money laundering inkept. transactions.

• Detailed guidance is avail- • Reliance on training aloneable for relevant staff on to ensure that staff escal-what constitutes a poten- ate suspicious transac-tially suspicious transactions, when there are notion, including indicative other procedures or con-lists of red flags. trols in place.

• Staff processing transac- • Disregarding money laun-tions have a good know- dering risk when transac-ledge of a customer’s ex- tions present little or nopected activity; and a credit risk.sound understanding oftrade based money laun-dering risks.

• Processing teams are en- • Money laundering risk iscouraged to escalate suspi- disregarded when transac-cions for investigation as tions involve anothersoon as possible. group entity (especially if

the group entity is in ahigh risk jurisdiction).

• Those responsible for re- • A focus on sanctions riskviewing escalated transac- at the expense of moneytions have an extensive laundering risk.knowledge of trade-basedmoney laundering risk.


15


• Underlying trade docu- • Failure to document ad-mentation relevant to the equately how money laun-financial instrument is ob- dering risk has been con-tained and reviewed on a sidered or the steps takenrisk-sensitive basis. to determine that a trans-

action is legitimate.

• Third party data sources • Trade-based money laun-are used on a risk-sensitive dering checklists are usedbasis to verify the informa- as ‘tick lists’ rather than astion given in the LC or BC. a starting point to think

about the wider risks.

• Using professional judge- • Failure to investigate po-ment to consider whether tentially suspicious transac-the pricing of goods tions due to time con-makes commercial sense, straints or commercialin particular in relation to pressures.traded commodities forwhich reliable and up-to-date pricing informationcan be obtained.

• Regular, periodic quality • Failure to ensure that rel-assurance work is con- evant staff understandducted by suitably quali- money laundering riskfied staff who assess the and are aware of relevantjudgments made in rela- industry guidance or redtion to money laundering flags.risk and potentially suspi-cious transactions.

• Trade processing staff • Failure to distinguishkeep up to date with emer- money laundering riskging trade-based money from sanctions risk.laundering risks.

• Where red flags are used • Ambiguous escalation pro-by banks as part of opera- cedures for potentially sus-tional procedures, they are picious transactions, orregularly updated and eas- procedures that only al-ily accessible to staff. low for escalation to be

made to sanctions teams.

• Expertise in trade-based • Not taking account ofmoney laundering is also other forms of potentiallyheld in a department out- suspicious activity thatside of the trade finance may not be covered bybusiness (e.g. Compliance) the firm’s guidance.so that independent de-cisions can be made in rela-tion to further investi-gation of escalations andpossible SAR reporting.

• Failure to make use of in-formation held in CDDfiles and RMs’ knowledgeto identify potentially sus-picious transactions.

• Trade processing teamsare not given sufficienttime to fully investigatepotentially suspicious ac-tivity, particularly when


15

15.3.7


there are commercial timepressures.

• Trade processing staff arenot encouraged to keepup to date with emergingtrade based money laun-dering risks.

• Failure to assess transac-tions for money laun-dering risk.

• Reliance on customer duediligence proceduresalone to mitigate the riskof money laundering intransactions.

Sanctions procedures


• Screening information is • Staff dealing with trade-re-contained within trade lated sanctions queries aredocuments against applic- not appropriately quali-able sanctions lists. fied and experienced to

perform the role ef-fectively.

• Hits are investigated be- • Failure to screen tradefore proceeding with a documentation.transaction (for example,obtaining confirmationfrom third parties that anentity is not sanctioned),and clearly documentingthe rationale for any de-cisions made.

• Shipping container num- • Failure to screen againstbers are validated on a all relevant internationalrisk-sensitive basis. sanctions lists.

• Potential sanctions • Failure to keep-up-to-datematches are screened for with the latest informa-at several key stages of a tion regarding nametransaction. changes for sanctioned en-

tities, especially as the in-formation may not be re-flected immediately on rel-evant sanctions lists.

• Previous sanction alerts • Failure to record the ra-are analysed to identify tionale for decisions to dis-situations where true hits count false positives.are most likely to occurand the bank focuses itssanctions resources ac-cordingly.

• New or amended informa- • Failure to undertake risk-tion about a transaction is sensitive screening of in-captured and screened. formation held on agents,

insurance companies, ship-pers, freight forwarders,delivery agents, inspection


15

15.3.8


agents, signatories, andparties mentioned in certi-ficates of origin, as well asthe main counterparties toa transaction.

• Failure to record the ra-tionale for decisions thatare taken not to screenparticular entities and re-taining that informationfor audit purposes.

Dual-use goods


• Ensuring staff are aware • No clear dual-use goodsof dual-use goods issues, policy.common types of goodsthat have a dual use, andare capable of identifyingred flags that suggest thatdual-use goods risk beingsupplied for illicitpurposes.

• Confirming with the ex- • Failure to undertake fur-porter in higher risk situ- ther research where goodsations whether a govern- descriptions are unclear orment licence is required vague.for the transaction andseeking a copy of the li-cence where required.

• Third party data sourcesare not used where pos-sible to undertake checkson dual-use goods.


15



Chapter 16

How small banks managemoney laundering and

sanctions risk – update(2014)


FCTR 16 : How small banks Section 16.1 : Introductionmanage money laundering andsanctions risk – update (2014)

16

16.1.1

16.1.2

16.1.3

16.1.4


16.1 Introduction

Who should read this chapter? This chapter is relevant, and its statements ofgood practice apply, to banks we supervise under the Money LaunderingRegulations. It may be of interest to other firms we supervise under theMoney Laundering Regulations.

In November 2014 we published the findings of our thematic review of howsmall banks manage AML and sanctions risk. We assessed the adequacy ofthe AML and sanctions systems and controls of 21 small banks. We alsolooked at the extent to which the banks had considered our regulatory AMLguidance, enforcement cases and the findings from our 2011 review of‘banks’ management of high money laundering risk situations’. To this end,our sample included five banks that had also been part of our sample in2011.

A small number of banks in our sample had implemented effective AML andsanctions controls. But, despite our extensive work in this area over recentyears, we found significant and widespread weaknesses in most of thesample banks’ AML systems and controls and some banks’ sanctions controls.We also found that AML resources were inadequate in one-third of all banksin our sample and that some overseas banks struggled to reconcile theirgroup AML policies with UK AML standards and requirements.

The contents of this report are reflected in ■ FCG 1-■ 3.

FCTR 16 : How small banks Section 16.2 : The FCA findingsmanage money laundering andsanctions risk – update (2014)

16

16.2.1


16.2 The FCA findings

You can read the findings of our thematic review here: http://www.fca.org.uk/news/tr14-16-how-small-banks-manage-money-laundering-and-sanctions-risk

http://www.fca.org.uk/news/tr14-16-how-small-banks-manage-money-laundering-and-sanctions-risk



FCTR 16 : How small banks Section 16.3 : Themesmanage money laundering andsanctions risk – update (2014)

16

16.3.1

16.3.2


16.3 Themes

Management information (MI).....................................................................................................Useful MI provides senior management with the information they need toensure that the firm effectively manages the money laundering andsanctions risks to which it is exposed. MI should be provided regularly,including as part of the MLRO report, and ad hoc, as risk dictates.

Examples of useful MI include:

•an overview of the money laundering and sanctions risks to whichthe bank is exposed, including information about emerging risks andany changes to the bank’s risk assessment

•an overview of the systems and controls to mitigate those risks,including information about the effectiveness of these systems andcontrols and any changes to the bank’s control environment

•legal and regulatory developments and the impact these have onthe bank’s approach

•relevant information about individual business relationships, forexample:

the number and nature of new accounts opened, in particularwhere these are high risk

the number and nature of accounts closed, in particular wherethese have been closed for financial crime reasons

the number of dormant accounts and re-activated dormantaccounts, and

the number of transaction monitoring alerts and suspiciousactivity reports, including where the processing of these hasfallen outside of agreed service level agreements.

Governance structures.....................................................................................................Banks should have a governance structure that is appropriate to the size andnature of their business.

To be effective, a governance structure should enable the firm to:

•clearly allocate responsibilities for financial crime issues

•establish clear reporting lines and escalation paths


16

16.3.3

16.3.4


•identify and manage conflicts of interest, in particular where staffhold several functions cumulatively, and

•record and retain key decisions relating to the management ofmoney laundering and sanctions risks, including, where appropriate,decisions resulting from informal conversations.

Culture and tone from the top.....................................................................................................An effective AML and sanctions control framework depends on seniormanagement setting and enforcing a clear level of risk appetite, andembedding a culture of compliance where financial crime is not acceptable.

Examples of good practice include:

•senior management taking leadership on AML and sanctions issues,for example through everyday decision-making and staffcommunications

•clearly articulating and enforcing the bank’s risk appetite – thisincludes rejecting individual business relationships where the bank isnot satisfied that it can manage the risk effectively

•allocating sufficient resources to the bank’s compliance function

•ensuring that the bank’s culture enables it to comply with the UK’slegal and regulatory AML framework, and

•considering whether incentives reward unacceptable risk-taking orcompliance breaches and, if they do, removing them.

Risk assessment.....................................................................................................Banks must identify and assess the money laundering risk to which they areexposed. This will help them understand which parts of their business aremost vulnerable to money laundering and which parts they should prioritisein their fight against financial crime. It will also help banks decide on theappropriate level of CDD and monitoring for individual businessrelationships.

A business-wide risk assessment:

•must be comprehensive, meaning that it should consider a widerange of factors, including the risk associated with the bank’scustomers, products, and services – it is not normally enough toconsider just one factor

•should draw on a wide range of relevant information – it is notnormally enough to consider just one source, and

•must be proportionate to the nature, scale and complexity of thebank’s activities.

Banks should build on their business-wide risk assessment to determine thelevel of CDD they should apply to individual business relationships oroccasional transactions. CDD will help banks refine their assessment of riskassociated with individual business relationships or occasional transactionsand will determine whether additional CDD measures should be applied and


16

16.3.5


the extent of monitoring that is required to mitigate that risk. An individualassessment of risk associated with a business relationship or occasionaltransaction can inform, but is no substitute for, a business-wide riskassessment.

A customer risk assessment:

•should enable banks to take a holistic view of the risk associatedwith a business relationship or occasional transaction by consideringall relevant risk factors, and

•should be recorded – where the risk is high, banks should includethe reason why they are content to accept the risk associated withthe business relationship or occasional transaction and details of anysteps the bank will take to mitigate the risks, such as restrictions onthe account or enhanced monitoring.

See regulation 20 of the Money Laundering Regulations and ■ SYSC 6.3.1R

Enhanced due diligence (EDD).....................................................................................................The central objective of EDD is to enable a bank to better understand therisks associated with a high-risk customer and make an informed decisionabout whether to on-board or continue the business relationship or carry outthe occasional transaction. It also helps the bank to manage the increasedrisk by deepening its understanding of the customer, the beneficial owner,and the nature and purpose of the relationship.

The extent of EDD must be commensurate with the risk associated with thebusiness relationship or occasional transaction but banks can decide, in mostcases, which aspects of CDD they should enhance.

Senior management should be provided with all relevant information (eg,source of wealth, source of funds, potential risks, adverse information andred flags) before approving PEP relationships to ensure they understand thenature of, and the risks posed by, the relationship they are approving.

Examples of effective EDD measures we observed included:

•obtaining more information about the customer’s or beneficialowner’s business

•obtaining more robust verification of the beneficial owner’s identityon the basis of information obtained from a reliable andindependent source

•carrying out searches on a corporate customer’s directors (orindividuals exercising control) to understand whether their businessor integrity affects the level of risk associated with the businessrelationship, for example because they also hold a public function

•using open source websites to gain a better understanding of thecustomer or beneficial owner, their reputation and their role inpublic life – where banks find information containing allegations ofwrongdoing or court judgments, they should assess how this affectsthe level of risk associated with the business relationship

•establishing the source of wealth to be satisfied that this islegitimate – banks can establish the source of wealth through a


16

16.3.6


combination of customer-provided information, open sourceinformation and documents such as evidence of title, copies of trustdeeds and audited accounts (detailing dividends)

•establishing the source of funds used in the business relationship tobe satisfied they do not constitute the proceeds of crime

•commissioning external third-party intelligence reports where it isnot possible for the bank to easily obtain information through opensource searches or there are doubts about the reliability of opensource information, and

•where the bank considers whether to rely on another firm for EDDpurposes, it ensures that the extent of EDD measures iscommensurate with the risk it has identified and that it holdsenough information about the customer to carry out meaningfulenhanced ongoing monitoring of the business relationship – thebank must also be satisfied that the quality of EDD is sufficient tosatisfy the UK’s legal and regulatory requirements.

See regulation 7 of the Money Laundering Regulations.

Enhanced ongoing monitoring.....................................................................................................In addition to guidance contained in ■ FCG 3.2.9G:

•compliance has adequate oversight over the quality andeffectiveness of periodic and event-driven reviews, and

•the firm does not place reliance only on identifying largetransactions and makes use of other ‘red flags’.

Transaction monitoring

Examples of red flags in transaction monitoring can include (this list is notexhaustive):

•third parties making repayments on behalf of the customer,particularly when this is unexpected

•repayments being made from multiple bank accounts held by thecustomer

•transactions that are inconsistent with the business activities of thecustomer

•the purpose of the customer account changing without adequateexplanation or oversight

•transactions unexpectedly involving high-risk jurisdictions, sectors orindividuals

•early repayment of loans or increased frequency/size of repayments

•accounts with low balances but a high volume of large debits andcredits


16

16.3.7


•cumulative turnover significantly exceeding the customer’s income/expected activity

•debits being made shortly after credits of the same value arereceived

•the customer making frequent transactions just below transactionmonitoring alert thresholds

•debits to and credits from third parties where there is no obviousexplanation for the transaction, and

•the customer providing insufficient or misleading information whenasked about a transaction, or being otherwise evasive.

Customer reviews

Banks must keep the documents, data or information obtained as part of theCDD process up to date. This will help banks ascertain that the level of riskassociated with the business relationship has not changed, or enable them totake appropriate steps where it has changed.

Examples of factors which banks may consider when conducting periodicreviews.

•Has the nature of the business relationship changed?

•Does the risk rating remain appropriate in the light of any changesto the business relationship since the last review?

•Does the business relationship remain within the firm’s riskappetite?

•Does the actual account activity match the expected activityindicated at the start of the relationship? If it does not, what doesthis mean?

Examples of measures banks may take when reviewing business relationships:

•assessing the transactions flowing through the customer’s accountsat a business relationship level rather than at an individualtransaction level to identify any trends

•repeating screening for sanctions, PEPs and adverse media, and

•refreshing customer due diligence documentation, in particularwhere this is not in line with legal and regulatory standards.

See regulation 8 of the Money Laundering Regulations.

Sanctions.....................................................................................................In addition to guidance contained in ■ FCG 7, examples of good practiceinclude:

•firms carrying out ‘four-eye’ checks on sanctions alerts beforeclosing an alert or conducting quality assurance on sanctions alertclosure on a sample basis


16


•firms regularly screening their customer database (including, whereappropriate, associated persons, eg, directors) against sanctions listsusing systems with fuzzy matching capabilities, and

•specified individuals having access to CDD information held on eachof the bank’s customers to enable adequate discounting of sanctionsalerts.


16



Chapter 17

Managing bribery andcorruption risk in

commercial insurancebroking – update (2014)


FCTR 17 : Managing bribery and Section 17.1 : Introductioncorruption risk in commercialinsurance broking – update…

17

17.1.1

17.1.2

17.1.3

17.1.4


17.1 Introduction

Who should read this chapter? This chapter is relevant, and its statements ofgood practice apply, to

•commercial insurance intermediaries and other firms who aresubject to the financial crime rules in ■ SYSC 3.2.6R or ■ SYSC 6.1.1R,and

•e-money institutions and payment institutions within oursupervisory scope.

In November 2014 we published a thematic review of how commercialinsurance intermediaries manage bribery and corruption risk. We looked atten intermediaries’ anti-corruption systems and controls and the extent towhich these intermediaries had considered our existing guidance,enforcement cases and the findings from thematic work, particularly our2010 review of ‘anti-bribery and corruption in wholesale insurance broking’.This sample also included five intermediaries that had been part of thesample in 2010.

While most intermediaries had begun to look at their ABC systems andcontrols, this was work in progress and more improvement was needed. Wefound that most intermediaries we saw were still not managing their briberyand corruption risk effectively. Business-wide bribery and corruption riskassessments were based on a range of risk factors that were too narrow andmany intermediaries failed to take a holistic view of the bribery andcorruption risk associated with individual relationships. Half of the duediligence files we reviewed were inadequate and senior managementoversight was often weak.

The contents of this report are reflected in ■ FCG 1 and ■ FCG 2.

FCTR 17 : Managing bribery and Section 17.2 : The FCAcorruption risk in commercialinsurance broking – update…

17

17.2.1


17.2 The FCA findings

You can read the findings of our thematic review here: http://www.fca.org.uk/news/tr14-17-managing-bribery-and-corruption-risk-in-commercial-insurance-broking

http://www.fca.org.uk/news/tr14-17-managing-bribery-and-corruption-risk-in-commercial-insurance-broking



FCTR 17 : Managing bribery and Section 17.3 : Themescorruption risk in commercialinsurance broking – update…

17

17.3.1

17.3.2


17.3 Themes

Governance.....................................................................................................This section complements guidance in ■ FCG 2.2.1G and ■ FCG 6.2.1G and■ FCTR 9.3.1G

•As part of their ABC governance structures, intermediaries mayconsider appointing an ABC officer with technical expertise andprofessional credibility within the intermediary.

•Intermediaries should ensure that responsibility for oversight andmanagement of third-party introducers and other intermediaries isclearly allocated.

Management information (MI).....................................................................................................This section complements guidance in ■ FCG 2.2.2G and ■ FCTR 9.3.1G

Examples of ABC MI which intermediaries may consider providing include:

•details of any business rejected in the relevant period because ofbribery and corruption concerns, including the perception that therisk of bribery and corruption associated with the business might beincreased, and

•details, using a risk-based approach, of staff expenses, gifts andhospitality and charitable donations, including claims that wererejected and cases of non-compliance with the intermediary’s policieswhere relevant.

Intermediaries may consider providing ABC MI about third-party introducersand other intermediaries.

Examples of such MI include:

•a breakdown of third-party introducers and other intermediaries, inchains that are involved in business generation, with details of thebusiness sectors and countries they work in

•the amount of business each third-party introducer or otherintermediary generates

•how much the immediate third-party introducer or otherintermediary with whom the intermediary has a direct relationship ispaid and on what basis (fees, commission, etc), and


17

17.3.3


•details of the third-party introducer’s role, including the servicesthey provide and the basis of the commission or other remunerationthey receive.

Risk assessment.....................................................................................................This section complements guidance in ■ FCG 2.2.4G, ■ FCG 6.2.2G and■ FCG 6.2.4G and ■ FCTR 9.3.2G and ■ FCTR 9.3.3G

Business-wide risk assessments

Intermediaries should identify and assess the bribery and corruption riskacross all aspects of their business.

Examples of factors which intermediaries should consider when assessing riskacross their business.

•Risks associated with the jurisdictions the intermediary does businessin, the sectors they do business with and how they generate business.

•Risks associated with insurance distribution chains, in particularwhere these are long. This includes taking steps to understand therisk associated with parties that are not immediate relationships,where these can be identified. Parties that are not immediaterelationships may include, in addition to the insured and the insurer,entities such as introducers, sub-brokers, co-brokers, producingbrokers, consultants, coverholders and agents.

•Risks arising from non-trading elements of the business, includingstaff recruitment and remuneration, corporate hospitality andcharitable donations.

Risk assessments and due diligence for individual relationships

The risk-rating process for individual third-party introducer and clientrelationships, for example the producing broker, should build on theintermediary’s business-wide risk assessment.

Examples of factors intermediaries may consider when assessing bribery andcorruption risk associated with individual relationships include:

•the role that the party performs in the distribution chain

•the territory in which it is based or in which it does business

•how much and how the party is remunerated for this work

•the risk associated with the industry sector or class of business, and

•the governance and ownership of the third party, including anypolitical or governmental connections.

Intermediaries should decide on the level of due diligence, and which partyto apply due diligence to, based on their assessment of risk associated withthe relationship. This may include other parties in the insurance chain andnot just their immediate contact. Where it is not possible or feasible toconduct due diligence on other parties, intermediaries should consideralternative approaches, such as adjustments to the level of monitoring toidentify unusual or suspicious payments.


17

17.3.4

17.3.5


Examples of the type of information which intermediaries may obtain as partof the due diligence process include:

•other intermediaries’ terms of business and identificationdocumentation, including information about their anti-corruptioncontrols

•checks, as risk dictates, on company directors, controllers andultimate beneficial owners, considering any individuals or companieslinked to the client, PEP screening and status, links to a PEP ornational government, sanctions screening, adverse media screeningand action taken in relation to any screening hits, and

•for third-party introducers, details of the business rationale.

Ongoing monitoring and reviews.....................................................................................................This section complements guidance in ■ FCG 2.2.5G, ■ FCG 6.2.3G and■ FCG 6.2.4G and ■ FCTR 9.3.3G

Examples of ongoing monitoring and review for ABC purposes include:

•payment monitoring, including a review of payments to identifyunusual or suspicious payments

•refreshing due diligence documentation

•ensuring that the business rationale remains valid – this may includea review of third-party introducers’ activities

•re-scoring risk where necessary, including based on the outcome ofinternal or external reviews or audits

•updating PEP screening, sanctions screening and adverse mediascreening, and

•taking a risk-based approach to ongoing monitoring measuresapplied to directors, controllers, ultimate beneficial owners andshareholders relevant to third-party relationships, which is consistentwith the risk rating applied at the outset of a relationship.

Payment controls – insurance broking accounts.....................................................................................................This section complements guidance in ■ FCG 6.2.3G and ■ FCG 6.2.4G and■ FCTR 9.3.4G and ■ FCTR 9.3.9G

•Intermediaries should set meaningful thresholds for gifts andhospitality that reflect business practice and help identify potentiallycorrupt actions.

•When determining whether a payment is appropriate, staffresponsible for approving payments should consider whether thepayment is in line with the approved scope of the third-partyrelationship.


17

17.3.6

17.3.7


Payment controls – accounts payable.....................................................................................................This section complements guidance in ■ FCG 6.2.3G and ■ FCG 6.2.4G and■ FCTR 9.3.4G

•Intermediaries should consider whether an absence of recordedgifts, entertainment, expenses and donations may be due toreporting thresholds being too high and/or staff being unaware ofthe requirement to report.

Training and awareness.....................................................................................................This section complements guidance in ■ FCG 2.2.6G and ■ FCG 6.2.3G and■ FCTR 9.3.6G and ■ FCTR 9.3.9G

Examples of initiatives to supplement ABC training and awareness include:

•creating a one-page aide-mémoire for staff, listing key points onpreventing financial crime and the whistleblowing process, to whichstaff could easily refer, and

•appointing a compliance expert within each business area whoprovides ABC advice to staff.


17


Financial Crime Thematic Reviews - FCA HandbookFCTR 17 Managing bribery and corruption risk in...

Documents

Transcript of Financial Crime Thematic Reviews - FCA HandbookFCTR 17 Managing bribery and corruption risk in...