financial crime: a guide for firms - part 2 - fca handbook · 1.1 part 2 of financial crime: a...

Financial crime: a guide for firmsPart 2: Financial crime thematic reviewsApril 2013

Financial Conduct Authority

Contents1 Introduction 5

2 Firms' high-level management of fraud risk (2006) 6

3 Review of private banks’ anti-money laundering systems and controls (2007) 7

4 Automated Anti-Money Laundering Transaction Monitoring Systems (2007) 8Box 4.1 Statement of good practice 9

5 Review of firms’ implementation of a risk-based approach to anti-money 11laundering (AML) (2008)Box 5.1 Firms’ implementation of a risk-based approach to AML 12

6 Data security in Financial Services (2008) 14Box 6.1 Governance 15Box 6.2 Training and awareness 16Box 6.3 Staff recruitment and vetting 17Box 6.4 Controls – access rights 17Box 6.5 Controls – passwords and user accounts 18Box 6.6 Controls – monitoring access to customer data 19Box 6.7 Controls – data back-up 19Box 6.8 Controls – access to the Internet and email 20Box 6.9 Controls – key-logging devices 20Box 6.10 Controls – laptop 20Box 6.11 Controls – portable media including USB devices and CDs 21Box 6.12 Physical security 22Box 6.13 Disposal of customer data 22Box 6.14 Managing third-party suppliers 23Box 6.15 Internal audit and compliance monitoring 23

7 Review of financial crime controls in offshore centres (2008) 24

8 Financial services firms’ approach to UK financial sanctions (2009) 25Box 8.1 Senior management responsibility 26Box 8.2 Risk assessment 26Box 8.3 Policies and procedures 27Box 8.4 Staff training and awareness 27Box 8.5 Screening during client take-on 28Box 8.6 Ongoing screening 29Box 8.7 Treatment of potential target matches 29

9 Anti-bribery and corruption in commercial insurance broking (2010) 30Box 9.1 Governance and management information 31Box 9.2 Risk assessment and responses to significant bribery and corruption events 32Box 9.3 Due diligence on third-party relationships 32Box 9.4 Payment controls 33Box 9.5 Staff recruitment and vetting 35

Financial crime: a guide for firms Part 2: Financial crime thematic reviewsContents

Financial crime: a guide for firms Part 2: Financial crime thematic reviews

Contents

3Financial Conduct Authority

Box 9.6 Training and awareness 35Box 9.7 Risk arising from remuneration structures 36Box 9.8 Incident reporting 36Box 9.9 The role of compliance and internal audit 36

10 The Small Firms Financial Crime Review (2010) 37Box 10.1 Regulatory/Legal obligations 38Box 10.2 Account opening procedures 39Box 10.3 Monitoring activity 39Box 10.4 Suspicious activity reporting 40Box 10.5 Records 40Box 10.6 Training 40Box 10.7 Responsibilities and risk assessments 41Box 10.8 Access to systems 41Box 10.9 Outsourcing 42Box 10.10 Physical controls 42Box 10.11 Data disposal 42Box 10.12 Data compromise incidents 43Box 10.13 General fraud 43Box 10.14 Insurance fraud 44Box 10.15 Investment fraud 44Box 10.16 Mortgage fraud 45Box 10.17 Staff/Internal fraud 45

11 Mortgage fraud against lenders (2011) 46Box 11.1 Governance, culture and information sharing 47Box 11.2 Applications processing and underwriting 47Box 11.3 Mortgage fraud prevention, investigations and recoveries 47Box 11.4 Managing relationships with conveyancers, brokers and valuers 48Box 11.5 Compliance and internal audit 49Box 11.6 Staff recruitment and vetting 49Box 11.7 Remuneration structures 49Box 11.8 Staff training and awareness 50

12 Banks’ management of high money-laundering risk situations (2011) 51Box 12.1 High risk customers and PEPs – AML policies and procedures 52Box 12.2 High risk customers and PEPs – Risk assessment 53Box 12.3 High risk customers and PEPs – Customer take-on 53Box 12.4 High risk customers and PEPs – Enhanced monitoring of high risk relationships 55Box 12.5 Correspondent banking – Risk assessment of respondent banks 56Box 12.6 Correspondent banking – Customer take-on 57Box 12.7 Correspondent banking – Ongoing monitoring of respondent accounts 58Box 12.8 Wire transfers – Paying banks 58Box 12.9 Wire transfers – Intermediary banks 59Box 12.10 Wire transfers – Beneficiary banks 59Box 12.11 Wire transfers – Implementation of SWIFT MT202COV 59

Financial crime: a guide for firms Part 2: Financial crime thematic reviewsContents

4 Financial Conduct Authority

13 Anti-bribery and corruption systems and controls in investment banks (2012) 60Box 13.1 Governance and management information 61Box 13.2 Assessing bribery and corruption risk 62Box 13.3 Policies and procedures 63Box 13.4 Third party relationships and due diligence 64Box 13.5 Payment controls 65Box 13.6 Gifts and hospitality 66Box 13.7 Staff recruitment and vetting 66Box 13.8 Training and awareness 67Box 13.9 Remuneration structures 67Box 13.10 Incident reporting and management 67

14 Banks’ defences against investment fraud 68Box 14.1 Governance 69Box 14.2 Risk assessment 69Box 14.3 Detecting perpetrators 70Box 14.4 Automated monitoring 70Box 14.5 Protecting victims 71Box 14.6 Management reporting and escalation of suspicions 71Box 14.7 Staff awareness 71Box 14.8 Use of industry intelligence 72

1 EU Regulation 1781/2006 on information on the payer. See Part 1 Annex 1 of common terms for more information.


Introduction

1 Introduction

1.1 Part 2 of Financial crime: a guide for firms contains summaries of, and links to, thematic reviews ofvarious financial crime risks. It includes the consolidated examples of good and poor practice that wereincluded with the reviews’ findings. Each chapter includes a statement about those to whom it is mostrelevant and, where good and poor practice is included, to whom that guidance applies. We havesuggested where material may be of interest and use to a broader range of firms, but we will only takeguidance as applying to those types of firms to whom we have directly applied it. Each chapter alsoincludes cross references to relevant chapters in Part 1.

1.2 The statements of our expectations and the examples of good and poor practice in the body of Part 2 havethe same status as in Part 1: they are “general guidance” as defined by section 158 of the Financial Servicesand Markets Act 2000. The guidance in Part 2 is not binding and imposes no requirements on firms. Pleaserefer to Chapter 1 of Part 1 for more information about guidance in the Guide.

1.3 As with Part 1, Part 2 contains guidance on Handbook rules and principles, particularly:

• SYSC 3.2.6R and SYSC 6.1.1R, which require firms to establish and maintain effective systems andcontrols to prevent the risk that they might be used to further financial crime;

• Principles 1 (integrity), 2 (skill, care and diligence), 3 (management and control) and 11 (relationswith regulators) of our Principles for Businesses, which are set out in PRIN 2.1.1R;

• the Statements of Principle for Approved Persons set out in APER 2.1.2P; and

• in relation to guidance on money laundering, the rules in SYSC 3.2.6AR to SYSC 3.2.6JG and SYSC 6.3 (Financial crime).

Chapters 4, 5, and 12 also contain guidance on how firms can meet the requirements of the MoneyLaundering Regulations 2007; Chapter 12 also contains guidance on the EU Wire Transfer Regulation.1

1.4 Not all thematic reviews contain consolidated examples of good and poor practice. All reports do, however, discuss what the FSA found about the practices in place at the firms it visited. Thisinformation is not guidance, but firms interested in comparing themselves against their peers’ systemsand controls and policies and procedures in the areas covered by the reviews can find more informationon this in the original reports.


6

Financial crime: a guide for firms Part 2: Financial crime thematic reviewsFirms’ high-level management of fraud risk (2006)

2 Firms’ high-level managementof fraud risk (2006)

2.1 In February 2006 the FSA reviewed a sample of 16 firms (predominantly larger financial servicesgroups) to assess how firms’ senior management were managing fraud risk.

2.2 The findings of the review reflected our overall expectation that firms’ senior management should beproactive in taking responsibility for identifying and assessing fraud risk and the adequacy of existingcontrols, and ensure that, if necessary, appropriate additional controls are put in place. We expect afirm to consider the full implications of the fraud risks it faces, which may have wider effects on itsreputation, its customers and the markets in which it operates.

2.3 The report emphasised that fraud is more than just a financial crime issue for firms; it is also areputational one for the industry as a whole. The report concluded that while there had been someimprovement in the management of fraud there was still more that firms could be doing to ensurefraud risk was managed effectively.

2.4 The contents of this report are reflected in Chapter 2 (Financial crime systems and controls) andChapter 4 (Fraud) of Part 1 of this Guide.

The FSA’s findings

2.5 You can read the findings of the FSA’s thematic review here:

http://www.fsa.gov.uk/pubs/other/fraud_risk.pdf

Consolidated examples of good and poor practice

2.6 This report did not contain consolidated examples of good and poor practice.


Who should read this chapter? This chapter is relevant to all firms subject to the financial crime rulesin SYSC 3.2.6R and SYSC 6.1.1R and to e-money institutions and payment institutions within oursupervisory scope.



Review of private banks’ anti-money laundering systems and controls (2007)

3 Review of private banks’ anti-money laundering systems and controls (2007)

3.1 In July 2007 the FSA undertook a review of the anti-money laundering (AML) systems and controls atseveral FSA-regulated private banks. The review was conducted in response to a report by the FSA’sIntelligence team, which had highlighted the high risk of money laundering within private banking.

3.2 This sector is particularly susceptible to money laundering and firms are expected to have high-standardAML systems and controls in place in order to mitigate these risks. The review focused on firms’ policiesand procedures for identifying, assessing, monitoring and managing the risks with a strong focus onhigh-risk clients and Politically Exposed Persons (PEPs).

3.3 The key areas examined in depth were a consideration of senior managements’ risk appetite and thelevel of customer due diligence that took place.

3.4 Overall the FSA found that the private banks covered by our review acknowledged the relatively highrisk of money laundering within their business activities and recognised the need to develop andimplement strong AML systems and controls. The report also emphasised that private banks shouldobtain and keep up-to-date information on clients.

3.5 The contents of this report are reflected in Chapter 2 (Financial crime systems and controls) andChapter 3 (Money laundering and terrorist financing) of Part 1 of this Guide.



http://www.fsa.gov.uk/pubs/other/money_laundering/systems.pdf



Who should read this chapter? This chapter is relevant to private banks (firms which providebanking and investment services in a closely managed relationship to high net-worth clients) andother firms conducting business with customers, such as PEPs, who might pose a higher risk ofmoney laundering. It may also be of interest to other firms we supervise under the MoneyLaundering Regulations 2007.

8

Financial crime: a guide for firms Part 2: Financial crime thematic reviewsAutomated Anti-Money Laundering Transaction Monitoring Systems (2007)

4 Automated Anti-MoneyLaundering TransactionMonitoring Systems (2007)

4.1 The FSA wrote a short report on automated Anti-Money Laundering Transaction Monitoring Systemsin July 2007. This was in anticipation of the fact that transaction monitoring would becomecompulsory following the implementation of the Money Laundering Regulations 2007.

4.2 The report explains that the FSA did not anticipate that there would be major changes in firms’ practice,as the new framework expressed in law what firms were already doing. Instead, it is to be read asfeedback on good practice to assist firms in complying with the Money Laundering Regulations 2007.

4.3 The report confirms our expectation that senior management should be in a position to monitor theperformance of transaction monitoring (TM) systems, particularly at firms that experience operationalor performance issues with their systems, to ensure issues are resolved in a timely fashion. Particularexamples of good practice include transaction monitoring and profiling; especially ensuring unusualpatterns of customer activity are identified.




http://www.fsa.gov.uk/pubs/other/money_laundering/aml_system.pdf


Who should read this chapter? This chapter is relevant, and its statements of good and poor practiceapply, to all firms for whom we are the supervisory authority under the Money LaunderingRegulations 2007.

The extent to which we expect a firm to use automated anti-money laundering transactionmonitoring (AML TM) systems depends on considerations such as the nature and scale of itsbusiness activities. There may be firms, particularly, smaller firms, that monitor credibly andeffectively using manual procedures. This chapter will not apply to such firms where they do not,and are not intending to, use AML TM systems, although it may still be of interest to them.


This report contained the following Examples of good practice:



Automated Anti-Money Laundering Transaction Monitoring Systems (2007)

Box 4.1: Statement of good practice

• Depending on the nature and scale of a firm's business activities, automated AML TMsystems may be an important component of an effective overall AML control environment.

Methodologies

• TM systems use profiling and/or rules-based monitoring methods.

• Profiling identifies unusual patterns of customer activity by applying statistical modellingtechniques. These compare current patterns of activity to historical activity for thatcustomer or peer group.

• Rules-based monitoring compares customer activity to fixed pre-set thresholds or patternsto determine if it is unusual.

Development and implementation

• A clear understanding of what the system will deliver and what constraints will be imposedby the limitations of the available data (including any issues arising from data cleanlinessor legacy systems).

• Consideration of whether the vendor has the skills, resources and ability to deliver thepromised service and provide adequate ongoing support.

• Maintenance of good working relations with the vendor, e.g. when collaborating to agreedetailed system configuration.

• Use of recommended hardware, not necessarily a firm's own standard, to reduce processingproblems, or otherwise finding a solution that is a good fit with a firm's existing infrastructure.

• A full understanding of the data being entered into the system and of the business's requirements.

• Regular housekeeping and database maintenance (operational resilience is vital to ensurethat queries do not back up).

• Careful consideration of the risks of commissioning a bespoke vendor system, which maybe incompatible with future standard product upgrades.

• Continued allocation of sufficient resources to ensure manual internal suspicion reportingis effective, as TM can supplement, but not replace, human awareness in day-to-daybusiness.

Effectiveness

• Analyse system performance at a sufficiently detailed level, for example on a rule-by-rulebasis, to understand the real underlying drivers of the performance results.

• Set systems so they do not generate fewer alerts simply to improve performance statistics.There is a risk of 'artif icially' increasing the proportion of alerts that are ultimatelyreported as suspicious activity reports without generating an improvement in the qualityand quantity of the alerts being generated.

10

Financial crime: a guide for firms Part 2: Financial crime thematic reviewsAutomated Anti-Money Laundering Transaction Monitoring Systems (2007)


Box 4.1: Statement of good practice

• Deploy analytical tools to identify suspicious activity that is currently not being flagged byexisting rules or profile-based monitoring.

• Allocate adequate resources to analysing and assessing system performance, in particularto define how success is measured and produce robust objective data to analyseperformance against these measures.

• Consistently monitor from one period to another, rather than on an intermittent basis, toensure that performance data is not distorted by, for example, ad hoc decisions to runparticular rules at different times.

• Measure performance as far as possible against like-for-like comparators, e.g. peersoperating in similar markets and using similar profiling and rules.

Oversight

• Senior management should be in a position to monitor the performance of TM systems,particularly at firms that are experiencing operational or performance issues with theirsystems, so that issues are resolved in a timely fashion.

• Close involvement of the project management process by major business unit stakeholdersand IT departments is an important component of successful system implementation.

Reporting & review

• There should be a clear allocation of responsibilities for reviewing, investigating andreporting details of alerts generated by TM systems. Those responsible for this work shouldhave appropriate levels of skill and be subject to effective operational control and qualityassurance processes.



Review of firms’ implementation of a risk-based approach to anti-money laundering (AML) (2008)

5 Review of firms’implementation of a risk-basedapproach to anti-moneylaundering (AML) (2008)

Who should read this chapter? This chapter is relevant, and its statements of good and poor practiceapply, to all firms for whom we are the supervisory authority under the Money LaunderingRegulations 2007.

5.1 In March 2008 the FSA conducted a review of firms’ implementation of a risk-based approach to anti-money laundering. This followed the move to a more principles-based regulatory strategy fromAugust 2006, when we replaced the detailed rules contained in the Money Laundering sourcebook withhigh-level rules in the Senior Management Arrangements, Systems and Controls sourcebook (SYSC) ofthe Handbook.

5.2 The FSA visited 43 firms in total and gathered additional information from approximately 90 smallfirms with a survey. The report explored in depth a number of key areas that required improvement,including a review of staff training and the need to ensure staff are aware that it is a constantrequirement to ensure AML policies and procedures are up to date and effective.

5.3 Due to the wide range of firms the FSA visited, there were a number of different findings. There weremany examples of good practice, particularly in the way the larger firms had fully embraced the risk-based approach to AML and senior management’s accountability for effective AML. The FSA alsorecognised that smaller firms, which generally represent lower risk, had fewer resources to devote tomoney laundering risk assessment and mitigation.




http://www.fsa.gov.uk/pubs/other/jmlsg_guidance.pdf


12

Financial crime: a guide for firms Part 2: Financial crime thematic reviewsReview of firms’ implementation of a risk-based approach to anti-money laundering (AML) (2008)


• One large firm’s procedures required it toundertake periodic Know Your Customer(KYC)/Customer Due Diligence (CDD) reviews ofexisting clients. The depth of the review isdetermined by the risk ranking assigned to theclient. Clients rated A and B are reviewed everythree years; Cs every two years; and Ds and Esare reviewed annually. For lower risk (A-C)clients, the review may amount to no more thanrefreshing the client’s file to take account of:significant changes in ownership orcapitalisation; changes in the client’s line ofbusiness; addition of a Politically ExposedPerson (PEP) to shareholders or seniormanagement; or any negative news on theclient’s owners or senior managers. For high risk(D or E) clients, visits to the client arenecessary to provide an extra layer of comfort.Such visits would typically cover: review ofclient’s client take-on procedures; sampletesting of KYC documentation on underlyingclients; and, obtaining answers to outstandingqueries on, e.g., annual AML certification,transaction queries, and potential PEP orsanctions hits.

• One building society undertook a comprehensivepolicy review following the publication of the2006 JMLSG2 guidance, in order to identifywhich parts of the business were affected andwhat action was needed. It identified eight corebusiness areas, which represented the keyoperational areas exposed to risk from moneylaundering. These business areas were ranked inorder of risk and formed into workstreams. Thelocal managers from each workstream businessarea were then trained by the Compliance PolicyTeam, using a series of presentations andindividual workshops, to understand the impactof the risk-based approach, their individualresponsibilities and the appropriate customerdue diligence policies. These managers werethen required to apply this awareness and theirexisting knowledge of their workstreams’business activities to create documented riskprofiles covering customers, products, deliverychannels and geography. The risk profiles weregraded as Red, Amber and Green and customerdue diligence and monitoring requirements setat appropriate levels.

• Some firms did not have a robust approach toclassifying the money laundering risk associatedwith their clients. For example, one wholesalesmall firm classified all its clients as low ormedium risk, despite the fact that most of themwere based in Eastern Europe, North Africa andthe Middle East. Another firm’s risk-assessmentprocedures provided that the Compliance Officeror MLRO3 would determine the risk category foreach client and would record the basis of theassessment for each client. However, a file reviewshowed no evidence that risk assessments hadactually been carried out.

• Some small firms had produced inadequate annualMLRO reports, which failed to demonstrate totheir governing body and senior management thatthe firms’ AML systems and controls wereoperating effectively. In one case, the MLROstated categorically that there had been noperceived deficiencies in the suspicious activityreporting process. However, he was unable evento describe that process to us, so it was highlyunlikely that he had ever reviewed the SAR4

process for possible deficiencies.

• In one small firm, the MLRO was clearly not fullyengaged in his role. For example, he was unawarethat we had removed the Money Launderingsourcebook and he was still using an outdated(2003) edition of the JMLSG Guidance. It was notentirely clear whether this arose from a lack ofinterest in his MLRO function or from inadequatecompliance resources at the firm, which left himwith insufficient time to keep up to date withAML matters, or a combination of both.

• We found some cases of medium-sized and smallerfirms documenting their client take-on proceduresbut not regularly updating those procedures andnot always following them. For example, one firmtold us that CDD information on clients wasrefreshed every time clients applied for a newproduct or service. However, a file review showedno evidence that this had been done.

• A number of medium-sized and small firms wereunaware that it was illegal for them to deal withindividuals or entities named on the Treasury’sFinancial Sanctions list. As a result, no screeningof clients or transactions was being undertakenagainst that list.

Box 5.1: Firms’ implementation of a risk-based approach to AML

Examples of good practice: Examples of poor practice:

2 Joint Money Laundering Steering Group. See Part 1 Annex 1 for common terms

3 Money Laundering Reporting Officer. See Part 1 Annex 1 for common terms.

4 Suspicious Activity Report. See Part 1 Annex 1 for common terms.



Review of firms’ implementation of a risk-based approach to anti-money laundering (AML) (2008)

• In response to the SYSC changes, one majorbank decided to appoint the MLRO’s linemanager as the designated director withoverarching responsibility for AML controls. Thisdirector was seen as the obvious choice for therole, given that his portfolio of responsibilitiesincluded fraud, risk and money laundering. Thebank’s decision formally to appoint a Board-levelsenior manager to this position was viewed asreinforcing the importance of having in place arobust AML control framework. Following hisappointment, the director decided that themanagement information (MI) on AML issues hehad hitherto received was too ad hoc andfragmented. So the SYSC/JMLSG changes provedto be a catalyst for the bank establishing moreorganised MI and a Group-level Financial RiskCommittee to consider relevant issues. (In thepast, various Risk Committees had consideredsuch issues.) The new Committee’s remit coveredfraud, money laundering and sanctions issues;however, its primary focus was AML.

• One large bank judged that staff AML trainingand awareness were suitable for thedevelopment of a risk-based approach. It saw aneed to differentiate between AML requirementsin various business units, so that training couldbe adapted to the needs of the job. So in Retail,training had been re-designed to produce amore balanced package. Accordingly, staff wererequired to undertake one training module perquarter, with the emphasis on a different area ineach module and a test taken every quarter. Theaim was to see what impact this constant ‘dripfeed’ of training had on suspicious activityreporting. At the time of the FSA’s visit, thisbank was also in the throes of merging its anti-fraud and AML training. The overall objectivewas to make it more difficult for criminals to dobusiness with the bank undetected.

• One firm said that it did not routinely check theFinancial Sanctions list, because it did not dealwith the type of client who might appear on the list.

• Some medium-sized and small firms admitted thatstaff AML training was an area whereimprovement was needed. One firm told us thattraining was delivered as part of an inductionprogramme but not refreshed at regular intervalsthroughout the employee’s career. Another firmsaid that it provided AML induction training onlyif a new joiner specifically requested it and nonew employee had actually made such a request.The firm’s MLRO took the view that most newemployees came from the regulated sector, soshould already be aware of their AML obligations.Such employees were merely required to sign aform to confirm that they were aware of thefirm’s AML procedures, but their understandingwas never tested.

Box 5.1: Firms’ implementation of a risk-based approach to AML


14

Financial crime: a guide for firms Part 2: Financial crime thematic reviewsData security in Financial Services (2008)

6 Data security in Financial Services (2008)


Who should read this chapter? This chapter is relevant, and its statements of good and poor practice apply, to all firms subject to the financial crime rules in SYSC 3.2.6R or SYSC 6.1.1R andto e-money institutions and payment institutions within our supervisory scope.

Content: This chapter contains sections on:

• Governance Box 6.1

• Training and awareness Box 6.2

• Staff recruitment and vetting Box 6.3

• Controls – access rights Box 6.4

• Controls – passwords and user accounts Box 6.5

• Controls – monitoring access to customer data Box 6.6

• Controls – data back-up Box 6.7

• Controls – access to the internet and email Box 6.8

• Controls – key-logging devices Box 6.9

• Controls – laptop Box 6.10

• Controls – portable media including USB devices and CDs Box 6.11

• Physical security Box 6.12

• Disposal of customer data Box 6.13

• Managing third party suppliers Box 6.14

• Internal audit and compliance monitoring Box 6.15



Data security in Financial Services (2008)

6.1 In April 2008 the FSA published the findings of our thematic review on how financial services firms inthe UK were addressing the risk that customer data may be lost or stolen and used to commit fraud orother financial crime. The FSA visited 39 firms, including retail and wholesale banks, investment firms,insurance companies, financial advisers and credit unions. The FSA also took into account ourexperience of data loss incidents dealt with by our Financial Crime Operations Team: during 2007, the team dealt with 56 cases of lost or stolen data from financial services firms.

6.2 The FSA found a wide variation between good practices demonstrated by firms that were committed toensuring data security and weakness in firms that were not taking adequate steps. Overall, the FSAfound that data security in financial services firms needed to be improved significantly.

6.3 The report concluded that poor data security was a serious, widespread and high-impact risk, and thatfirms were often failing to consider the wider risks of identity fraud which could occur from cases ofsignificant data loss and the impact of this on consumers. The FSA found that firms lacked a clearunderstanding of these risks and were therefore failing properly to inform customers, resulting in a lackof transparency.

6.4 The contents of this report are reflected in Chapter 2 (Financial crime systems and controls) andChapter 5 (Data security) of Part 1 of this Guide.



http://www.fsa.gov.uk/pubs/other/data_security.pdf


• Identification of data security as a key specificrisk, subject to its own governance, policies andprocedures and risk assessment.

• A senior manager with overall responsibility fordata security, specifically mandated to managedata security risk assessment and communicationbetween the key stakeholders within the firmsuch as: senior management, informationsecurity, Human Resources, financial crime,security, IT, compliance and internal audit.

• A specific committee with representation fromrelevant business areas to assess, monitor andcontrol data security risk, which reports to thefirm’s Board. As well as ensuring coordinated riskmanagement, this structure sends a clear messageto all staff about the importance of data security.

• Written data security policies and procedures thatare proportionate, accurate and relevant to staff’sday-to-day work.

• Treating data security as an IT issue and failingto involve other key staff from across thebusiness in the risk assessment process.

• No written policies and procedures on datasecurity.

• Firms do not understand the need for knowledge-sharing on data security.

• Failing to take opportunities to share informationwith, and learn from, peers and others about datasecurity risk and not recognising the need to do so.

• A ‘blame culture’ that discourages staff fromreporting data security concerns and data losses.

• Failure to notify customers affected by data lossin case the details are picked up by the media.

Box 6.1: Governance


16



• Innovative training and awareness campaignsthat focus on the financial crime risks arisingfrom poor data security, as well as the legal andregulatory requirements to protect customer data.

• Clear understanding among staff about why datasecurity is relevant to their work and what theymust do to comply with relevant policies andprocedures.

• Simple, memorable and easily digestible guidancefor staff on good data security practice.

• Testing of staff understanding of data securitypolicies on induction and once a year after that.

• Competitions, posters, screensavers and groupdiscussion to raise interest in the subject.

• No training to communicate policies andprocedures.

• Managers assuming that employees understanddata security risk without any training.

• Data security policies which are very lengthy,complicated and difficult to read.

• Reliance on staff signing an annual declarationstating that they have read policy documentswithout any further testing.

• Staff being given no incentive to learn aboutdata security.

Box 6.2: Training and awareness


• An open and honest culture of communicationwith pre-determined reporting mechanisms thatmake it easy for all staff and third parties toreport data security concerns and data losswithout fear of blame or recrimination.

• Firms seeking external assistance if they feel theydo not have the necessary expertise to completea data security risk assessment themselves.

• Firms liaising with peers and others to increasetheir awareness of data security risk and theimplementation of good systems and controls.

• Detailed plans for reacting to a data lossincluding when and how to communicate withaffected customers.

• Firms writing to affected customers promptly aftera data loss, telling them what has been lost andhow it was lost.

• Firms offering advice on protective measuresagainst identity fraud to consumers affected bydata loss and, where appropriate, paying for suchservices to be put in place.

Box 6.1: Governance

Examples of good practice:




• Vetting staff on a risk-based approach, takinginto account data security and other fraud risk.

• Enhanced vetting – including checks of creditrecords, criminal records, financial sanctionslists and the CIFAS Staff Fraud Database – forstaff in roles with access to large amounts ofcustomer data.

• Liaison between HR and Financial Crime toensure that financial crime risk indicators areconsidered during the vetting process.

• A good understanding of vetting conducted by employment agencies for temporary andcontract staff.

• Formalised procedures to assess regularlywhether staff in higher-risk positions arebecoming vulnerable to committing fraud orbeing coerced by criminals.

• Allowing new recruits to access customer databefore vetting has been completed.

• Temporary staff receiving less rigorous vettingthan permanently employed colleagues carryingout similar roles.

• Failing to consider continually whether staff inhigher-risk positions are becoming vulnerable tocommitting fraud or being coerced by criminals.

Box 6.3: Staff recruitment and vetting


• Specific IT access profiles for each role in thefirm, which set out exactly what level of IT accessis required for an individual to do their job.

• If a staff member changes roles orresponsibilities, all IT access rights are deletedfrom the system and the user is set up using thesame process as if they were a new joiner at thefirm. The complexity of this process issignificantly reduced if role-based IT accessprofiles are in place – the old one can simply bereplaced with the new.

• A clearly-defined process to notify IT offorthcoming staff departures in order that ITaccesses can be permanently disabled or deletedon a timely and accurate basis.

• A regular reconciliation of HR and IT user recordsto act as a failsafe in the event of a failure in thefirm’s leavers process.

• Regular reviews of staff IT access rights to ensurethat there are no anomalies.

• ‘Least privilege’ access to call recordings andcopies of scanned documents obtained for ‘knowyour customer’ purposes.

• Staff having access to customer data that they donot require to do their job.

• User access rights set up on a case-by-case basiswith no independent check that they areappropriate.

• Redundant access rights being allowed to remainin force when a member of staff changes roles.

• User accounts being left ‘live’ or only suspended(i.e. not permanently disabled) when a staffmember leaves.

• A lack of independent check of changes effectedat any stage in the joiners, movers and leaversprocess.

Box 6.4: Controls – Access rights


18



• Authentication of customers’ identities using, forexample, touch-tone telephone before aconversation with a call centre adviser takesplace. This limits the amount of personalinformation and/or passwords contained in callrecordings.

• Masking credit card, bank account details andother sensitive data like customer passwordswhere this would not affect employees’ ability todo their job.

Box 6.4: Controls – Access rights


• Individual user accounts – requiring passwords –in place for all systems containing customer data.

• Password standards at least equivalent to thoserecommended by Get Safe Online – a government-backed campaign group. In July 2011, theirrecommended standard for passwords was acombination of letters, numbers and keyboardsymbols at least eight characters in length andchanged regularly.

• Measures to ensure passwords are robust. Thesemight include controls to ensure that passwordscan only be set in accordance with policy and theuse of password-cracking software on a risk-basedapproach.

• ‘Straight-through processing’, but only ifcomplemented by accurate role-based accessprofiles and strong passwords.

• The same user account and password used bymultiple users to access particular systems.

• Names and dictionary words used as passwords.

• Systems that allow passwords to be set which donot comply with password policy.

• Individuals share passwords.

Box 6.5: Controls – passwords and user accounts





• Risk-based, proactive monitoring of staff’s accessto customer data to ensure it is being accessedand/or updated for a genuine business reason.

• The use of software designed to spot suspiciousactivity by employees with access to customerdata. Such software may not be useful in its ‘off-the-shelf’ format so it is good practice for firmsto ensure that it is tailored to their businessprofile.

• Strict controls over superusers’ access tocustomer data and independent checks of theirwork to ensure they have not accessed,manipulated or extracted data that was notrequired for a particular task.

• Assuming that vetted staff with appropriateaccess rights will always act appropriately. Staffcan breach procedures, for example by looking ataccount information relating to celebrities, betempted to commit fraud themselves or be bribedor threatened to give customer data to criminals.

• Failure to make regular use of managementinformation about access to customer data.

• Failing to monitor superusers or other employeeswith access to large amounts of customer data.

Box 6.6: Controls – monitoring access to customer data


• Firms conducting a proper risk assessment ofthreats to data security arising from the databack-up process – from the point that back-uptapes are produced, through the transit processto the ultimate place of storage.

• Firms encrypting backed-up data that is heldoff-site, including while in transit.

• Regular reviews of the level of encryption toensure it remains appropriate to the current riskenvironment.

• Back-up data being transferred by secureInternet links.

• Due diligence on third parties that handlebacked-up customer data so the firm has a goodunderstanding of how it is secured, exactly whohas access to it and how staff with access to itare vetted.

• Staff with responsibility for holding backed-updata off-site being given assistance to do sosecurely. For example, firms could offer to payfor a safe to be installed at the staff member’shome.

• Firms conducting spot checks to ensure thatdata held off-site is held in accordance withaccepted policies and procedures.

• Firms failing to consider data security risk arisingfrom the backing up of customer data.

• A lack of clear and consistent procedures forbacking up data, resulting in data being backedup in several different ways at different times.This makes it difficult for firms to keep track ofcopies of their data.

• Unrestricted access to back-up tapes for largenumbers of staff at third party firms.

• Back-up tapes being held insecurely by firm’semployees; for example, being left in their cars or at home on the kitchen table.

Box 6.7: Controls – data back-up


20



• The encryption of laptops and other portabledevices containing customer data.

• Unencrypted customer data on laptops.

Box 6.10: Controls – laptop


• Giving internet and email access only to staffwith a genuine business need.

• Considering the risk of data compromise whenmonitoring external email traffic, for example bylooking for strings of numbers that might becredit card details.

• Where proportionate, using specialist IT softwareto detect data leakage via email.

• Completely blocking access to all internetcontent which allows web-based communication.This content includes web-based email,messaging facilities on social networking sites,external instant messaging and ‘peer-to-peer’file-sharing software.

• Firms that provide cyber-cafes for staff to useduring breaks ensuring that web-basedcommunications are blocked or that data cannotbe transferred into the cyber-cafe, either inelectronic or paper format.

• Allowing staff who handle customer data to haveaccess to the internet and email if there is nobusiness reason for this.

• Allowing access to web-based communicationInternet sites. This content includes web-basedemail, messaging facilities on social networkingsites, external instant messaging and ‘peer-to-peer’ file-sharing software.

Box 6.8: Controls – access to the internet and email


• Regular sweeping for key-logging devices in partsof the firm where employees have access to largeamounts of, or sensitive, customer data. (Firmswill also wish to conduct sweeps in othersensitive areas. For example, where money canbe transferred.)

• Use of software to determine whether unusual orprohibited types of hardware have been attachedto employees’ computers.

• Raising awareness of the risk of key-loggingdevices. The vigilance of staff is a useful methodof defence.

• Anti-spyware software and firewalls etc in placeand kept up to date.

Box 6.9: Controls – key-logging devices





• Ensuring that only staff with a genuine businessneed can download customer data to portablemedia such as USB devices and CDs.

• Ensuring that staff authorised to hold customerdata on portable media can only do so if it isencrypted.

• Maintaining an accurate register of staff allowedto use USB devices and staff who have beenissued USB devices.

• The use of software to prevent and/or detectindividuals using personal USB devices.

• Firms reviewing regularly and on a risk-basedapproach the copying of customer data toportable media to ensure there is a genuinebusiness reason for it.

• The automatic encryption of portable mediaattached to firms’ computers.

• Providing lockers for higher-risk staff such ascall centre staff and superusers and restrictingthem from taking personal effects to their desks.

• Allowing staff with access to bulk customer data– for example, superusers – to download tounencrypted portable media.

• Failing to review regularly threats posed byincreasingly sophisticated and quickly evolvingpersonal technology such as mobile phones.

Box 6.11: Controls – portable media including USB devices and CDs


• Controls that mitigate the risk of employeesfailing to follow policies and procedures. TheFSA has dealt with several cases of lost or stolenlaptops that arose from firms’ staff not doingwhat they should.

• Maintaining an accurate register of laptopsissued to staff.

• Regular audits of the contents of laptops toensure that only staff who are authorised tohold customer data on their laptops are doing soand that this is for genuine business reasons.

• The wiping of shared laptops’ hard drivesbetween uses.

• A poor understanding of which employees havebeen issued or are using laptops to hold customerdata.

• Shared laptops used by staff without being signedout or wiped between uses.

Box 6.10: Controls – laptop


22



• Appropriately restricted access to areas wherelarge amounts of customer data are accessible,such as server rooms, call centres and filing areas.

• Using robust intruder deterrents such as keypadentry doors, alarm systems, grilles or barredwindows, and closed circuit television (CCTV).

• Robust procedures for logging visitors andensuring adequate supervision of them while on-site.

• Training and awareness programmes for staff toensure they are fully aware of more basic risks tocustomer data arising from poor physical security.

• Employing security guards, cleaners etc directly toensure an appropriate level of vetting and reducerisks that can arise through third party suppliersaccessing customer data.

• Using electronic swipe card records to spotunusual behaviour or access to high risk areas.

• Keeping filing cabinets locked during the day andleaving the key with a trusted member of staff.

• An enforced clear-desk policy.

• Allowing staff or other persons with no genuinebusiness need to access areas where customerdata is held.

• Failure to check electronic records showing whohas accessed sensitive areas of the office.

• Failure to lock away customer records and fileswhen the office is left unattended.

Box 6.12: Physical security


• Procedures that result in the production of aslittle paper-based customer data as possible.

• Treating all paper as ‘confidential waste’ toeliminate confusion among employees aboutwhich type of bin to use.

• All customer data disposed of by employeessecurely, for example by using shredders(preferably cross-cut rather than straight-lineshredders) or confidential waste bins.

• Checking general waste bins for the accidentaldisposal of customer data.

• Using a third party supplier, preferably one withBSIA5 accreditation, which provides a certificateof secure destruction, to shred or incineratepaper-based customer data. It is important forfirms to have a good understanding of thesupplier’s process for destroying customer dataand their employee vetting standards.

• Poor awareness among staff about how to disposeof customer data securely.

• Slack procedures that present opportunities forfraudsters, for instance when confidential waste isleft unguarded on the premises before it is destroyed.

• Staff working remotely failing to dispose ofcustomer data securely.

• Firms failing to provide guidance or assistance toremote workers who need to dispose of anobsolete home computer.

• Firms stockpiling obsolete computers and otherportable media for too long and in insecureenvironments.

• Firms relying on others to erase or destroy theirhard drives and other portable media securelywithout evidence that this has been donecompetently.

Box: 6.13: Disposal of customer data


5 British Security Industry Association




• Providing guidance for travelling or home-basedstaff on the secure disposal of customer data.

• Computer hard drives and portable media beingproperly wiped (using specialist software) ordestroyed as soon as they become obsolete.

Box: 6.13: Disposal of customer data


• Conducting due diligence of data securitystandards at third-party suppliers beforecontracts are agreed.

• Regular reviews of third-party suppliers’ datasecurity systems and controls, with the frequencyof review dependent on data security risksidentified.

• Ensuring third-party suppliers’ vetting standardsare adequate by testing the checks performed ona sample of staff with access to customer data.

• Only allowing third-party IT suppliers access tocustomer databases for specific tasks on a case-by-case basis.

• Third-party suppliers being subject to proceduresfor reporting data security breaches within anagreed timeframe.

• The use of secure internet links to transfer datato third parties.

• Allowing third-party suppliers to access customerdata when no due diligence of data securityarrangements has been performed.

• Firms not knowing exactly which third-party staffhave access to their customer data.

• Firms not knowing how third-party suppliers’ staffhave been vetted.

• Allowing third-party staff unsupervised access toareas where customer data is held when they havenot been vetted to the same standards asemployees.

• Allowing IT suppliers unrestricted or unmonitoredaccess to customer data.

• A lack of awareness of when/how third-partysuppliers can access customer data and failure tomonitor such access.

• Unencrypted customer data being sent to thirdparties using unregistered post.

Box 6.14: Managing third-party suppliers


• Firms seeking external assistance where they do not have the necessary in-houseexpertise or resources.

• Compliance and internal audit conductingspecific reviews of data security which cover allrelevant areas of the business including IT,security, HR, training and awareness, governanceand third-party suppliers.

• Firms using expertise from across the business tohelp with the more technical aspects of datasecurity audits and compliance monitoring.

• Compliance focusing only on compliance with dataprotection legislation and failing to consideradherence to data security policies and procedures.

• Compliance consultants adopting a ‘one size fits all’approach to different clients’ businesses.

Box 6.15: Internal audit and compliance monitoring


24

Financial crime: a guide for firms Part 2: Financial crime thematic reviewsReview of financial crime controls in offshore centres (2008)


7 Review of financial crimecontrols in offshore centres(2008)Who should read this chapter? This chapter is relevant to:

• all firms subject to the financial crime rules in SYSC 3.2.6R or SYSC 6.1.1R; and

• e-money institutions and payment institutions within our supervisory scope who have or areconsidering establishing operations in offshore centres.

7.1 In the second half of 2008 the FSA reviewed how financial services firms in the UK were addressingfinancial crime risks in functions they had moved to offshore centres. The review followed on from theFSA’s report into data security in financial services (April 2008 –http://www.fsa.gov.uk/pubs/other/data_security.pdf).

7.2 The main financial crime risks the FSA reviewed were: customer data being lost or stolen and used tofacilitate fraud; money laundering; and fraud. The review found that, while there were good datasecurity controls in place across the industry, continued effort was required to ensure controls did notbreak down and that they remained ‘valid and risk-based’.

7.3 The review emphasised the importance of appropriate vetting and training of all staff, particularly withregard to local staff who had financial crime responsibilities. An examination revealed that training inthis area was often lacking and not reflective of the needs of, and work done by, members of staff. Thereport emphasised that senior management should ensure that staff operating in these roles were givenproper financial crime training as well as ensuring they possessed the appropriate technical know-how.The review also highlighted that, due to high staff turnover, firms needed appropriate and thoroughvetting controls to supplement inadequate local electronic intelligence and search systems.

7.4 The contents of this report are reflected in Chapter 2 (Financial crime systems and controls) andChapter 5 (Data security) of Part 1 of this Guide.



http://www.fsa.gov.uk/pages/About/What/financial_crime/library/reports/review_offshore.shtml





Financial services firms’ approach to UK financial sanctions (2009)

8 Financial services firms’ approach to UK financial sanctions

8.1 In April 2009 the FSA published the findings of our thematic review of firms’ approach to UK financialsanctions. The FSA received 228 responses to an initial survey from a broad range of firms across thefinancial services industry, ranging from small firms to major financial groups, both retail andwholesale. Tailored surveys were sent to different types of firms to ensure that the questions wererelevant to the nature and scale of the business of each firm. The FSA then selected a sub-sample of 25firms to visit to substantiate the findings from the surveys.

8.2 The review highlighted areas where there was significant scope across the industry for improvement infirms’ systems and controls to comply with the UK financial sanctions regime. The FSA found that,while some firms had robust systems in place that were appropriate to their business need, others,including some major firms, lacked integral infrastructure and struggled with inappropriate systems fortheir business. In small firms in particular, the FSA found a widespread lack of awareness of the UKfinancial sanctions regime.

8.3 The report examined a number of key areas of concern which included an in-depth look at whethersenior management were aware of their responsibilities and, if so, were responding in an appropriatemanner. The FSA also identified issues over the implementation of policies and procedures, particularly

Who should read this chapter? This chapter is relevant, and its statements of good and poor practiceapply, to all firms subject to the financial crime rules in SYSC 3.2.6R or SYSC 6.1.1R and to e-moneyinstitutions and payment institutions within our supervisory scope.


• Senior management responsibility Box 8.1

• Risk assessment Box 8.2

• Policies and procedures Box 8.3

• Staff training and awareness Box 8.4

• Screening during client take-on Box 8.5

• Ongoing screening Box 8.6

• Treatment of potential target matches Box 8.7

26

Financial crime: a guide for firms Part 2: Financial crime thematic reviewsFinancial services firms’ approach to UK financial sanctions (2009)


• Senior management involvement in approving andtaking responsibility for policies and procedures.

• A level of senior management awareness of thefirm’s obligations regarding financial sanctionssufficient to enable them to discharge theirfunctions effectively.

• Appropriate escalation in cases where a potentialtarget match cannot easily be verified.

• Adequate and appropriate resources allocated bysenior management.

• Appropriate escalation of actual target matchesand breaches of UK financial sanctions.

• No senior management involvement orunderstanding regarding the firm’s obligationsunder the UK financial sanctions regime, or itssystems and controls to comply with it.

• No, or insufficient, management oversight of theday-to-day operation of systems and controls.

• Failure to include assessments of the financialsanctions systems and controls as a normal partof internal audit programmes.

• No senior management involvement in any caseswhere a potential target match cannot easily beverified.

• Senior management never being made aware of atarget match or breach of sanctions for anexisting customer.

• Inadequate or inappropriate resources allocatedto financial sanctions compliance with ourrequirements.

Box 8.1: Senior management responsibility


• Conducting a comprehensive risk assessment,based on a good understanding of the financialsanctions regime, covering the risks that maybe posed by clients, transactions, services,products and jurisdictions.

• Taking into account associated parties, such asdirectors and beneficial owners.

• A formal documented risk assessment with aclearly documented rationale for the approach.

• Not assessing the risks that the firm may face ofbreaching financial sanctions.

• Risk assessments that are based on misconceptions.

Box 8.2: Risk assessment


those put in place to ensure that staff were adequately trained, were kept aware of changes in this area,and knew how to respond when sanctions were imposed. The FSA also had concerns about firms’screening of clients, both initially and as an ongoing process.

8.4 The contents of this report are reflected in Chapter 2 (Financial crime systems and controls) andChapter 7 (Sanctions and asset freezes) of Part 1 of this Guide.



http://www.fsa.gov.uk/pubs/other/Sanctions_final_report.pdf





• Regularly updated training and awarenessprogrammes that are relevant and appropriatefor employees’ particular roles.

• Testing to ensure that employees have a goodunderstanding of financial sanctions risks andprocedures.

• Ongoing monitoring of employees’ work toensure they understand the financial sanctionsprocedures and are adhering to them.

• Training provided to each business unit coveringboth the group-wide and business unit-specificpolicies on financial sanctions.

• No training on financial sanctions.

• Relevant staff unaware of the firm’s policies andprocedures to comply with the UK financialsanctions regime.

• Changes to the financial sanctions policies,procedures, systems and controls are notcommunicated to relevant staff.

Box 8.4: Staff training and awareness


• Documented policies and procedures in place,which clearly set out a firm’s approach tocomplying with its legal and regulatoryrequirements in this area.

• Group-wide policies for UK financial sanctionsscreening, to ensure that business unit-specificpolicies and procedures reflect the standard setout in group policy.

• Effective procedures to screen against theConsolidated List6 that are appropriate for thebusiness, covering customers, transactions andservices across all products and business lines.

• Clear, simple and well understood escalationprocedures to enable staff to raise financialsanctions concerns with management.

• Regular review and update of policies andprocedures.

• Regular reviews of the effectiveness of policies,procedures, systems and controls by the firm’sinternal audit function or another independentparty.

• Procedures that include ongoingmonitoring/screening of clients.

• No policies or procedures in place for complyingwith the legal and regulatory requirements of theUK financial sanctions regime.

• Internal audits of procedures carried out bypersons with responsibility for oversight offinancial sanctions procedures, rather than anindependent party.

Box 8.3: Policies and procedures


6 See Part 1 Annex 1 for descriptions of common terms

28

Financial crime: a guide for firms Part 2: Financial crime thematic reviewsFinancial services firms’ approach to UK financial sanctions (2009)


• An effective screening system appropriate to thenature, size and risk of the firm’s business.

• Screening against the Consolidated List at thetime of client take-on before providing anyservices or undertaking any transactions for acustomer.

• Screening directors and beneficial owners ofcorporate customers.

• Screening third party payees where adequateinformation is available.

• Where the firm’s procedures require dual control(e.g. a ‘four eyes’ check) to be used, having inplace an effective process to ensure thishappens.

• The use of ‘fuzzy matching’ where automatedscreening systems are used.

• Where a commercially available automatedscreening system is implemented, making surethat there is a full understanding of thecapabilities and limits of the system.

• Screening only on notification of a claim on an insurance policy, rather than during clienttake-on.

• Relying on other FSA-authorised firms andcompliance consultants to screen clients againstthe Consolidated List without taking reasonablesteps to ensure that they are doing soeffectively.

• Assuming that AML customer due diligencechecks include screening against theConsolidated List.

• Failing to screen UK-based clients on theassumption that there are no UK-based personsor entities on the Consolidated List or failure toscreen due to any other misconception.

• Large global institutions with millions of clientsusing manual screening, increasing the likelihoodof human error and leading to matches beingmissed.

• IT systems that cannot flag potential matchesclearly and prominently.

• Firms calibrating their screening rules toonarrowly or too widely so that they, for example,match only exact names with the ConsolidatedList or generate large numbers of resourceintensive false positives.

• Regarding the implementation of a commerciallyavailable sanctions screening system as apanacea, with no further work required by thefirm.

• Failing to tailor a commercially availablesanctions screening system to the firm’srequirements.

Box 8.5: Screening during client take-on


• Screening of the entire client base within areasonable time following updates to theConsolidated List.

• Ensuring that customer data used for ongoingscreening is up to date and correct.

• No ongoing screening of customer databases ortransactions.

• Failure to screen directors and beneficial ownersof corporate customers and/or third party payeeswhere adequate information is available.

Box 8.6: Ongoing screening





• Procedures for investigating whether apotential match is an actual target match or afalse positive.

• Procedures for freezing accounts where anactual target match is identified.

• Procedures for notifying the Treasury’s AFUpromptly of any confirmed matches.

• Procedures for notifying senior management oftarget matches and cases where the firmcannot determine whether a potential match isthe actual target on the Consolidated List.

• A clear audit trail of the investigation ofpotential target matches and the decisions andactions taken, such as the rationale fordeciding that a potential target match is afalse positive.

• No procedures in place for investigating potentialmatches with the Consolidated List.

• Discounting actual target matches incorrectly asfalse positives due to insufficient investigation.

• No audit trail of decisions where potential targetmatches are judged to be false positives.

Box 8.7: Treatment of potential target matches


• Processes that include screening for indirect aswell as direct customers and also third partypayees, wherever possible.

• Processes that include screening changes tocorporate customers’ data (e.g. when newdirectors are appointed or if there are changesto beneficial owners).

• Regular reviews of the calibration and rules ofautomated systems to ensure they are operatingeffectively.

• Screening systems calibrated in accordance withthe firm’s risk appetite, rather than the settingssuggested by external software providers.

• Systems calibrated to include ‘fuzzy matching’,including name reversal, digit rotation andcharacter manipulation.

• Flags on systems prominently and clearlyidentified.

• Controls that require referral to relevantcompliance staff prior to dealing with flaggedindividuals or entities.

• Failure to review the calibration and rules ofautomated systems, or to set the calibration inaccordance with the firm’s risk appetite.

• Flags on systems that are dependent on stafflooking for them.

• Controls on systems that can be overriddenwithout referral to compliance.

Box 8.6: Ongoing screening


30

Financial crime: a guide for firms Part 2: Financial crime thematic reviewsAnti-bribery and corruption in commercial insurance broking (2010)


9 Anti-bribery and corruption incommercial insurance broking(2010)Who should read this chapter? This chapter is relevant, and its statements of good and poor practiceapply, to:• commercial insurance brokers and other firms who are subject to the financial crime rules in SYSC

3.2.6R or SYSC 6.1.1R; and• e-money institutions and payment institutions within our supervisory scope.

Except that Box 9.3 and Box 9.4 only apply to those firms or institutions who use third parties to winbusiness. It may also be of interest to other firms who are subject to SYSC 3.2.6R and SYSC 6.1.1R.


• Governance and management information Box 9.1

• Risk assessment and responses to significant bribery and corruption events Box 9.2

• Due diligence on third-party relationships Box 9.3

• Payment controls Box 9.4


• Training and awareness Box 9.6

• Risk arising from remuneration structures Box 9.7

• Incident reporting Box 9.8

• The role of compliance and internal audit Box 9.9

9.1 In May 2010 the FSA published the findings of our review into the way commercial insurance brokerfirms in the UK addressed the risks of becoming involved in corrupt practices such as bribery. The FSAvisited 17 broker firms. Although this report focused on commercial insurance brokers, the findings arerelevant in other sectors.

9.2 The report examined standards in managing the risk of illicit payments or inducements to, or on behalfof, third parties in order to obtain or retain business.



Anti-bribery and corruption in commercial insurance broking (2010)

• Clear, documented responsibility for anti-briberyand corruption apportioned to either a singlesenior manager or a committee with appropriateTerms of Reference and senior managementmembership, reporting ultimately to the Board.

• Good Board-level and senior managementunderstanding of the bribery and corruption risksfaced by the firm, the materiality to their businessand how to apply a risk-based approach to anti-bribery and corruption work.

• Swift and effective senior management-ledresponse to significant bribery and corruptionevents, which highlight potential areas forimprovement in systems and controls.

• Regular MI to the Board and other relevant seniormanagement forums.

• MI includes information about third partiesincluding (but not limited to) new third partyaccounts, their risk classification, higher risk thirdparty payments for the preceding period, changesto third-party bank account details and unusuallyhigh commission paid to third parties.

• MI submitted to the Board ensures they areadequately informed of any external developmentsrelevant to bribery and corruption.

• Actions taken or proposed in response to issueshighlighted by MI are minuted and acted onappropriately.

• Failing to allocate official responsibility for anti-bribery and corruption to a single senior manageror appropriately formed committee.

• A lack of awareness and/or engagement in anti-bribery and corruption at senior management orBoard level.

• Little or no MI sent to the Board about higherrisk third party relationships or payments.

• Failing to include details of wider issues, such asnew legislation or regulatory developments in MI.

• IT systems unable to produce the necessary MI.

Box 9.1: Governance and management information


9.3 The report found that many firms’ approach towards high-risk business was not of an acceptablestandard and that there was a risk that firms were not able to demonstrate that adequate procedureswere in place to prevent bribery from occurring.

9.4 The report identified a number of common concerns including weak governance and a poorunderstanding of bribery and corruption risks among senior managers as well as very little or nospecific training and weak vetting of staff. The FSA found that there was a general failure to implementa risk-based approach to anti-bribery and corruption and very weak due diligence and monitoring ofthird-party relationships and payments.

9.5 The contents of this report are reflected in Chapter 2 (Financial crime systems and controls) andChapter 6 (Bribery and corruption) of Part 1 of this Guide.



http://www.fsa.gov.uk/pubs/anti_bribery.pdf


32



• Establishing and documenting policies with aclear definition of a ‘third party’ and the duediligence required when establishing andreviewing third-party relationships.

• More robust due diligence on third parties whichpose the greatest risk of bribery and corruption,including a detailed understanding of thebusiness case for using them.

• Having a clear understanding of the roles clients,reinsurers, solicitors and loss adjusters play intransactions to ensure they are not carrying outhigher risk activities.

• Taking reasonable steps to verify the informationprovided by third parties during the due diligenceprocess.

• Using third party forms which ask relevantquestions and clearly state which fields aremandatory.

• Having third party account opening formsreviewed and approved by compliance, risk orcommittees involving these areas.

• Failing to carry out or document due diligence onthird-party relationships.

• Relying heavily on the informal ‘market view’ ofthe integrity of third parties as due diligence.

• Relying on the fact that third-party relationshipsare longstanding when no due diligence has everbeen carried out.

• Carrying out only very basic identity checks asdue diligence on higher risk third parties.

• Asking third parties to fill in account openingforms which are not relevant to them (e.g.individuals filling in forms aimed at corporateentities).

• Accepting vague explanations of the businesscase for using third parties.

• Approvers of third-party relationships workingwithin the broking department or being too closeto it to provide adequate challenge.

Box 9.3: Due diligence on third-party relationships


• Regular assessments of bribery and corruptionrisks with a specific senior person responsiblefor ensuring this is done, taking into accountthe country and class of business involved aswell as other relevant factors.

• More robust due diligence on and monitoring ofhigher risk third-party relationships.

• Thorough reviews and gap analyses of systemsand controls against relevant external events,with strong senior management involvement orsponsorship.

• Ensuring review teams have sufficient knowledgeof relevant issues and supplementing this withexternal expertise where necessary.

• Establishing clear plans to implementimprovements arising from reviews, includingupdating policies, procedures and staff training.

• Adequate and prompt reporting to SOCA7 and usof any inappropriate payments identified duringbusiness practice review.

• Failing to consider the bribery and corruptionrisks posed by third parties used to win business.

• Failing to allocate formal responsibility for anti-bribery and corruption risk assessments.

• A ‘one size fits all’ approach to third-party duediligence.

• Failing to respond to external events which maydraw attention to weaknesses in systems andcontrols.

• Taking too long to implement changes to systemsand controls after analysing external events.

• Failure to bolster insufficient in-house knowledgeor resource with external expertise.

• Failure to report inappropriate payments to SOCAand a lack of openness in dealing with usconcerning any material issues identified.

Box 9.2: Risk assessment and responses to significant bribery and corruption events


7 Serious Organised Crime Agency. See Part 1 Annex 1 for common terms.




• Ensuring adequate due diligence and approval ofthird-party relationships before payments aremade to the third party.

• Failing to check whether third parties to whompayments are due have been subject toappropriate due diligence and approval.

Box 9.4: Payment controls


• Using commercially-available intelligence tools,databases and/or other research techniques suchas internet search engines to check third-partydeclarations about connections to public officials,clients or the assured.

• Routinely informing all parties involved in theinsurance transaction about the involvement ofthird parties being paid commission.

• Ensuring current third-party due diligencestandards are appropriate when business isacquired that is higher risk than existingbusiness.

• Considering the level of bribery and corruptionrisk posed by a third party when agreeing thelevel of commission.

• Setting commission limits or guidelines whichtake into account risk factors related to the roleof the third party, the country involved and theclass of business.

• Paying commission to third parties on a one-offfee basis where their role is pure introduction.

• Taking reasonable steps to ensure that bankaccounts used by third parties to receivepayments are, in fact, controlled by the thirdparty for which the payment is meant. Forexample, broker firms might wish to see the thirdparty’s bank statement or have the third partywrite them a low value cheque.

• Higher or extra levels of approval for high riskthird-party relationships.

• Regularly reviewing third-party relationships toidentify the nature and risk profile of third-partyrelationships.

• Maintaining accurate central records of approvedthird parties, the due diligence conducted on therelationship and evidence of periodic reviews.

• Accepting instructions from third parties to paycommission to other individuals or entities whichhave not been subject to due diligence.

• Assuming that third-party relationships acquiredfrom other firms have been subject to adequatedue diligence.

• Paying high levels of commission to third partiesused to obtain or retain higher risk business,especially if their only role is to introduce thebusiness.

• Receiving bank details from third parties viainformal channels such as email, particularly ifemail addresses are from webmail (e.g. Hotmail)accounts or do not appear to be obviouslyconnected to the third party.

• Leaving redundant third-party accounts ‘live’ onthe accounting systems because third-partyrelationships have not been regularly reviewed.

• Being unable to produce a list of approved thirdparties, associated due diligence and details ofpayments made to them.

Box 9.3: Due diligence on third-party relationships


34



• Risk-based approval procedures for paymentsand a clear understanding of why payments aremade.

• Checking third-party payments individually priorto approval, to ensure consistency with thebusiness case for that account.

• Regular and thorough monitoring of third-partypayments to check, for example, whether apayment is unusual in the context of previoussimilar payments.

• A healthily sceptical approach to approvingthird-party payments.

• Adequate due diligence on new suppliers beingadded to the Accounts Payable system.

• Clear limits on staff expenditure, which are fullydocumented, communicated to staff andenforced.

• Limiting third-party payments from AccountsPayable to reimbursements of genuine business-related costs or reasonable entertainment.

• Ensuring the reasons for third-party paymentsvia Accounts Payable are clearly documentedand appropriately approved.

• The facility to produce accurate MI to facilitateeffective payment monitoring.

• The inability to produce regular third-partypayment schedules for review.

• Failing to check thoroughly the nature,reasonableness and appropriateness of gifts andhospitality.

• No absolute limits on different types ofexpenditure, combined with inadequate scrutinyduring the approvals process.

• The giving or receipt of cash gifts.



• Vetting staff on a risk-based approach, takinginto account financial crime risk.

• Enhanced vetting – including checks of creditrecords, criminal records, financial sanctionslists, commercially available intelligencedatabases and the CIFAS Staff Fraud Database –for staff in roles with higher bribery andcorruption risk.

• A risk-based approach to dealing with adverseinformation raised by vetting checks, taking intoaccount its seriousness and relevance in thecontext of the individual’s role or proposed role.

• Where employment agencies are used to recruitstaff in higher risk positions, having a clear

• Relying entirely on an individual’s marketreputation or market gossip as the basis forrecruiting staff.

• Carrying out enhanced vetting only for seniorstaff when more junior staff are working inpositions where they could be exposed to briberyor corruption issues.

• Failing to consider on a continuing basis whetherstaff in higher risk positions are becomingvulnerable to committing fraud or being coercedby criminals.

• Relying on contracts with employment agenciescovering staff vetting standards without checkingperiodically that the agency is adhering to them.






• Providing good quality, standard training onanti-bribery and corruption for all staff.

• Additional anti-bribery and corruption trainingfor staff in higher risk positions.

• Ensuring staff responsible for training othershave adequate training themselves.

• Ensuring training covers practical examples ofrisk and how to comply with policies.

• Testing staff understanding and using theresults to assess individual training needs andthe overall quality of the training.

• Staff records setting out what training wascompleted and when.

• Providing refresher training and ensuring it iskept up to date.

• Failing to provide training on anti-bribery andcorruption, especially to staff in higher riskpositions.

• Training staff on legislative and regulatoryrequirements but failing to provide practicalexamples of how to comply with them.

• Failing to ensure anti-bribery and corruptionpolicies and procedures are easily accessible tostaff.

• Neglecting the need for appropriate staff trainingin the belief that robust payment controls aresufficient to combat anti-bribery and corruption

Box 9.6: Training and awareness


understanding of the checks they carry out onprospective staff.

• Conducting periodic checks to ensure thatagencies are complying with agreed vettingstandards.

• A formal process for identifying changes inexisting employees’ financial soundness whichmight make them more vulnerable to becominginvolved in, or committing, corrupt practices.

• Temporary or contract staff receiving less rigorousvetting than permanently employed colleaguescarrying out similar roles.



• Assessing whether remuneration structures giverise to increased risk of bribery and corruption.

• Determining individual bonus awards on thebasis of several factors, including a goodstandard of compliance, not just the amount ofincome generated.

• Deferral and clawback provisions for bonusespaid to staff in higher risk positions.

• Bonus structures for staff in higher risk positionswhich are directly linked (e.g. by a formula)solely to the amount of income or profit theyproduce, particularly when bonuses form a majorpart, or the majority, of total remuneration.

Box 9.7: Risk arising from remuneration structures


36



• Clear procedures for whistleblowing and reportingsuspicions, and communicating these to staff.

• Appointing a senior manager to oversee thewhistleblowing process and act as a point ofcontact if an individual has concerns about theirline management.

• Respect for the confidentiality of workers whoraise concerns.

• Internal and external suspicious activityreporting procedures in line with the JointMoney Laundering Steering Group guidance.

• Keeping records or copies of internal suspicionreports which are not forwarded as SARs forfuture reference and possible trend analysis.

• Financial crime training covers whistleblowingprocedures and how to report suspicious activity.

• Failing to report suspicious activity relating tobribery and corruption.

• No clear internal procedure for whistleblowing orreporting suspicions.

• No alternative reporting routes for staff wishing tomake a whistleblowing disclosure about their linemanagement or senior managers.

• A lack of training and awareness in relation towhistleblowing the reporting of suspiciousactivity.

Box 9.8: Incident reporting


• Compliance and internal audit staff receivingspecialist training to achieve a very goodknowledge of bribery and corruption risks.

• Effective compliance monitoring and internalaudit reviews which challenge not only whetherprocesses to mitigate bribery and corruptionhave been followed but also the effectiveness ofthe processes themselves.

• Independent checking of compliance’soperational role in approving third partyrelationships and accounts, where relevant.

• Routine compliance and/or internal audit checksof higher risk third party payments to ensurethere is appropriate supporting documentationand adequate justification to pay.

• Failing to carry out compliance or internal auditwork on anti-bribery and corruption.

• Compliance, in effect, signing off their own work,by approving new third party accounts andcarrying out compliance monitoring on the sameaccounts.

• Compliance and internal audit not recognising oracting on the need for a risk-based approach.

Box 9.9: The role of compliance and internal audit




The Small Firms Financial Crime Review (2010)

10 The Small Firms Financial Crime Review (2010)

Who should read this chapter? This chapter is relevant, and its statements of good and poor practiceapply, to small firms in all sectors who are subject to the financial crime rules in SYSC 3.2.6R orSYSC 6.1.1R and small e-money institutions and payment institutions within our supervisory scope.


• Regulatory/Legal obligations Box 10.1

• Account opening procedures Box 10.2

• Monitoring activity Box 10.3

• Suspicious activity reporting Box 10.4

• Records Box 10.5

• Training Box 10.6

• Responsibilities and risk assessments Box 10.7

• Access to systems Box 10.8

• Outsourcing Box 10.9

• Physical controls Box 10.10

• Data disposal Box 10.11

• Data compromise incidents Box 10.12

• General fraud Box 10.13

• Insurance fraud Box 10.14

• Investment fraud Box 10.15

• Mortgage fraud Box 10.16

• Staff/Internal fraud Box 10.17

38

Financial crime: a guide for firms Part 2: Financial crime thematic reviewsThe Small Firms Financial Crime Review (2010)


10.1 In May 2010 the FSA published the findings of its thematic review into the extent to which small firmsacross the financial services industry addressed financial crime risks in their business. The reviewconducted visits to 159 small retail and wholesale firms in a variety of financial sectors. It was the firstsystematic review of financial crime systems and controls in small firms conducted by the FSA.

10.2 The review covered three main areas: anti-money laundering and financial sanctions; data security; andfraud controls. The review sought to determine whether firms understood clearly the requirementsplaced on them by the wide range of legislation and regulations to which they were subject.

10.3 The FSA found that firms generally demonstrated a reasonable awareness of their obligations,particularly regarding AML systems and controls. But it found weaknesses across the sector regardingthe implementation of systems and controls put in place to reduce firms’ broader financial crime risk.

10.4 The review emphasised the key role that the small firms sector often plays in acting as the first point ofentry for customers to the wider UK financial services industry; and the importance, therefore, of firmshaving adequate customer due diligence measures in place. The report flagged up concerns relating toweaknesses in firms’ enhanced due diligence procedures when dealing with high-risk customers.

10.5 The FSA concluded that, despite an increased awareness of the risks posed by financial crime andinformation supplied by the FSA, small firms were generally weak in their assessment and mitigation offinancial crime risks.

10.6 The contents of this report are reflected in Chapter 2 (Financial crime systems and controls), Chapter 3(Money laundering and terrorist financing), Chapter 4 (Fraud), Chapter 5 (Data security) and Chapter 7(sanctions and asset freezes) of Part 1 of this Guide.



http://www.fsa.gov.uk/smallfirms/pdf/financial_crime_report.pdf


• A small IFA used policies and procedures whichhad been prepared by consultants but the MLROhad tailored these to the firm’s business. Therewas also a risk assessment of customers andproducts included in an MLRO report which wasupdated regularly.

• One general insurance (GI) intermediary had anAML policy in place which was of a very goodstandard and included many good examples ofAML typologies relevant to GI business. Despitethe fact that there is no requirement for an MLROfor a business of this type the firm had appointedan individual to carry out an MLRO function as apoint of good practice.

• An MLRO at an IFA was not familiar with theJMLSG guidance and had an inadequateknowledge of the firm’s financial crime policiesand procedures.

Box 10.1: Regulatory/Legal obligations





• A credit union used a computer-basedmonitoring system which had been speciallydesigned for business of this type. The systemwas able to produce a number of exceptionreports relating to the union’s members,including frequency of transactions anddefaulted payments. The exceptions reports werereviewed daily. If there had been no activity onan account for 12 months it was suspended. Ifthe customer was to return and request awithdrawal they would be required to prove theiridentity again.

• A Personal Pension Operator’s procedure forhigher risk customers included gathering extrasource of funds proof at customer take-on. Thefirm also conducted manual monitoring andproduced valuation statements twice a year.

• Within a GI intermediary firm, there was aprocess where, if a customer made a quick claimafter the policy has been taken out, theirrecords were flagged on the firm’s monitoringsystem. This acted as an alert for any possiblesuspicious claims in the future.

Box 10.3: Monitoring activity


• A discretionary portfolio manager had proceduresthat required the verification of the identity ofall beneficial owners. The firm checked itscustomer base against sanctions lists and hadconsidered the risks associated with PEPs. Mostnew customers were visited by the adviser athome and in these cases the advisers wouldusually ask for identity verification documents onthe second meeting with the customer. Wherebusiness was conducted remotely, more (three orfour) identity verification documents wererequired and the source of funds exemption wasnot used.

• An IFA commented that they only dealt withinvestment customers that were well known to thefirm or regulated entities. However, the firm hadsome high risk customers who were subject to verybasic due diligence (e.g.: copy of passport). Thefirm said that they were concerned about the highreputational impact an AML incident could have ontheir small, young business. The firm stated thatthey would deal with PEPs but with appropriatecare. However, the firm did not have a rigoroussystem in place to be able to identify PEPs – thiswas a concern given the nationality and residenceof some underlying customers. The firm appearedto have reasonable awareness of the sanctionsrequirements of both the Treasury and the UnitedStates Office of Foreign Assets Control (OFAC), butthere was no evidence in the customer files of anysanctions checking.

• A venture capital firm had policies in place whichrequired a higher level of due diligence andapproval for high-risk customers. However, theyhad no system in place by which they couldidentify this type of customer.

Box 10.2: Account opening procedures


40



• One MLRO working at an IFA firm commented thathe would forward all internal SARs he received toSOCA and would not exercise any judgementhimself as to the seriousness of these SARs.

• At an IFA the MLRO did not demonstrate anyknowledge of how to report a SAR to SOCA, whatto report to SOCA, or how to draft a SAR. Thefirm’s policies and procedures contained a proforma SAR but this was not a document the MLROwas familiar with.

• An IFA was unaware of the difference betweenreporting suspicions to SOCA and sanctionsrequirements, believing that if he identified aperson on the Consolidated List he should carryon as normal and just report it as a SAR to SOCA.

Box 10.4: Suspicious activity reporting

Examples of poor practice:

• An advising-only intermediary firm used a web-based system as its database of leads, contactnames and addresses. It also stored telephoneand meeting notes there which were accessed bystaff using individual passwords.

• A home finance broker classified customers as A,B or C for record keeping purposes. A's beingActive, B's being ‘one-off or infrequent business’who he maintained contact with via a regularnewsletter and C's being archived customers.

• A file review at an IFA revealed disorganised filesand missing KYC documentation in three of fivefiles reviewed. Files did not always include achecklist. (We expect that KYC information shouldbe kept together in the file so that it is easilyidentifiable and auditable.)

Box 10.5: Records


• A GI Intermediary used an on-line trainingwebsite (costing around £100 per employee peryear). The firm believed that the training wasgood quality and included separate modules onfinancial crime which were compulsory for staffto complete. Staff were also required tocomplete refresher training. An audit of alltraining completed was stored on-line.

• An IFA (sole trader) carried out on-line training onvarious financial crime topics. He also participatedin conference call training where a trainer talkedtrainees through various topics while on-line; thiswas both time and travel efficient.

• A GI Intermediary explained that the compliancemanager carried out regular audits to confirmstaff knowledge was sufficient. However, oninspection of the training files it appeared thattraining was largely limited to productinformation and customer service and did notsufficiently cover financial crime.

• One credit union, apart from on-the-job trainingfor new staff members, had no regular training inplace and no method to test staff knowledge offinancial crime issues.

Box 10.6: Training





• At an IFA there was a clearly documented policyon data security which staff were tested onannually. The policy contained, but was notlimited to, details around clear desks, non-sharing of passwords, the discouraging of theover-use of portable media devices, the securedisposal of data, and the logging of customerfiles removed and returned to the office.

• An IFA had produced a written data securityreview of its business which had been promptedby their external consultants and largelyfollowed the small firms’ factsheet material ondata security, provided by the FSA in April 2008.

• In a personal pension operator, there was a fulland comprehensive anti-fraud strategy in placeand a full risk assessment had been carried outwhich was regularly reviewed. The firm’sfinancial transactions were normally ‘four eyed’as a minimum and there were strict mandates oncheque signatures for Finance Director andFinance Manager.

• At an IFA, a risk assessment had been undertakenby the firm’s compliance consultant but the firmdemonstrated no real appreciation of thefinancial crime risks in its business. The riskassessment was not tailored to the risks inherentin that business.

• An advising-only intermediary had its policies andprocedures drawn up by an external consultantbut these had not been tailored to the firm’sbusiness. The MLRO was unclear aboutinvestigating and reporting suspicious activity toSOCA. The firm’s staff had not received formaltraining in AML or reporting suspicious activity toSOCA.

Box 10.7: Responsibilities and risk assessments


• In a Discretionary Investment Management firm,the Chief Executive ensured that he signed offon all data user profiles ensuring that systemsaccesses were authorised by him.

• A discretionary investment manager conductedfive year referencing on new staff, verifiedpersonal addresses and obtained characterreferences from acquaintances not selected bythe candidate. They also carried out annualcredit checks, CRB checks and open sourceInternet searches on staff. There were roleprofiles for each job within the firm and thesewere reviewed monthly for accuracy.

• In a venture capital firm they imposed aminimum ten character (alpha/numeric,upper/lower case) password for systems accesswhich had a 45-day enforced change period.

• In a financial advisory firm there was nominimum length for passwords, (although thesehad to be alpha/numeric) and the principal ofthe firm plus one other colleague knew all staffmembers’ passwords.

• In an advising-only intermediary, staff set theirown systems passwords which had no definedlength or complexity and were only changedevery six months.

Box 10.8: Access to systems


42



• At an IFA, staff email was monitored andmonthly MI was produced, which included amonitoring of where emails had been directed tostaff home addresses.

• At an investment advisory firm, staff wereprohibited from using the Internet and Hotmailaccounts. USB ports had been disabled onhardware and laptops were encrypted.

• In a general insurance intermediary which hadpoor physical security in terms of shop frontaccess, there were many insecure boxes ofhistorical customer records dotted around theoffice in no apparent order. The firm had nocontrol record of what was stored in the boxes,saying only that they were no longer needed forthe business.

Box 10.10: Physical controls


• A discretionary investment manager used anexternal firm for IT support and had conductedits own on-site review of the IT firm’s securityarrangements. The same firm also insisted onCRB checks for cleaners.

• An IFA had received a request from anintroducer to provide names of customers whohad bought a certain financial product. The firmrefused to provide the data as it considered therequest unnecessary and wanted to protect itscustomer data. It also referred the matter to theInformation Commissioner who supported thefirm’s actions.

• A general insurance intermediary employedoffice cleaners supplied by an agency thatconducts due diligence including CRB checks.Office door codes were regularly changed andalways if there was a change in staff.

• In an authorised professional firm, unauthoriseddata access attempts by staff were monitored bythe IT manager and email alerts sent to staffand management when identified.

• In a general insurance intermediary the twodirectors had recently visited the offsite datastorage facility to satisfy themselves about thesecurity arrangements at the premises.

• An authorised professional firm employed theservices of third-party cleaners, security staff, andan offsite confidential waste company, but hadcarried out no due diligence on any of these parties.

• An IFA allowed a third-party IT consultant fullaccess rights to its customer databank. Althoughthe firm had a service agreement in place thatallowed full audit rights between the advisor andthe IT company to monitor the securityarrangements put in place by the IT company, thishad not been invoked by the IFA, in contrast toother firms visited where such audits had beenundertaken.

• In an authorised professional firm, Internet andHotmail usage was only monitored if it was forlonger than 20 minutes at any one time. There wasalso no clear-desk policy within the firm.

• In an authorised professional firm there had beentwo incidents where people had walked into theoffice and stolen staff wallets and laptops.

Box 10.9: Outsourcing


• An advising and arranging intermediary used athird party company for all paper disposals, usingsecure locked bins provided by the third party. Allpaper in the firm was treated as confidential and‘secure paper management’ was encouragedthroughout the firm, enhanced by a monitored

• In an IFA there was a clear-desk policy that wasnot enforced and customer data was stored inunlocked cabinets which were situated in a partof the office accessible to all visitors to the firm.

Box 10.11: Data disposal





clear-desk policy. The firm was also aware that itneeded to consider a process for secure disposalof electronic media as it was due to undergo asystems refit in the near future.

• An IFA treated all customer paperwork asconfidential and had onsite shredding facilities.For bulk shredding the firm used a third party whoprovided bags and tags for labelling sensitivewaste for removal, and this was collected andsigned for by the third party. The firm’s directorshad visited the third party’s premises and satisfiedthemselves of their processes. The directorsperiodically checked office bins for confidentialwaste being mishandled. PCs which had come to‘end of life’ were wiped using reputable softwareand physically destroyed.

Box 10.11: Data disposal


• A general insurance broker had suffered asuccession of break-ins to their offices. No datahad been lost or stolen but the firm sought theadvice of local police over the incidents andemployed additional physical security as a result.

• In a general insurance intermediary, the ITmanager said he would take responsibility for anydata security incidents although there was noprocedures in place for how to handle suchoccurrences. When asked about data security, thecompliance officer was unable to articulate thefinancial crime risks that lax data securityprocesses posed to the firm and said it would besomething he would discuss with his IT manager.

Box 10.12: Data compromise incidents


• A small product provider had assessed the fraudrisk presented by each product and developedappropriate controls to mitigate this risk basedon the assessment. This assessment was then setout in the firm’s Compliance Manual and wasupdated when new information became available.

• A credit union did not permit its members tochange address details over the telephone. Theseneeded to be submitted in writing/email. Thefirm also considered the feasibility of allocatingpasswords to their members for accessing theiraccounts. The union had photographs of all itsmembers which were taken when the accountwas opened. These were then used to verify the

• One GI broker permitted customers to contact thefirm by telephone to inform the firm of anyamendments to their personal details (includingchange of address). To verify the identity of theperson they were speaking to, the firm asked security questions. However, allthe information that the firm used to verify thecustomer’s identity was available in the public domain.

Box 10.13: General fraud


44



identity of the customer should they wish towithdraw money or apply for a loan from theunion.

• One discretionary investment manager kept fullrecords of all customer contact including detailsof any phone calls. When receiving incomingcalls from product providers, the firm requiredthe caller to verify where they were calling fromand provide a contact telephone number whichthey were then called back on before anycustomer details were discussed or instructionstaken.

• One general insurance intermediary was amember of a local association whose membershipincluded law enforcement and Law Societyrepresentatives. This group met in order to sharelocal intelligence to help improve their firms’defences against financial crime.

Box 10.13: General fraud


• A small general insurer had compiled ahandbook which detailed indicators of potentialinsurance fraud.

• An IFA had undertaken a risk assessment tounderstand where his business was vulnerable toinsurance fraud.

• An IFA had identified where their business maybe used to facilitate insurance fraud andimplemented more controls in these areas.

• An IFA had a procedure in place to aid in theidentification of high risk customers. However,once identified, this firm had no enhanced duediligence procedures in place to deal with suchcustomers.

Box 10.14: Insurance fraud


• An IFA had undertaken a risk assessment for allhigh net worth customers.

• A discretionary investment manager referredhigher risk decisions (in respect of a high riskcustomer/value of funds involved) to a specificsenior manager.

• A personal pension operator carried out afinancial crime risk assessment for newlyintroduced investment products.

• An IFA had a ‘one size fits all’ approach toidentifying the risks associated with customersand investments.

Box 10.15: Investment fraud





8 Customer Due Diligence. See Part 1 Annex 1 for common terms.

• The majority of firms conducted customer factfinds. This allowed them to know theircustomers sufficiently to identify any suspiciousbehaviour. CDD8 (including source of fundsinformation) was also obtained early in theapplication process before the application wascompleted and submitted to the lender.

• A home finance broker would not conduct anyremote business – meeting all customers face-to-face.

• An IFA had informally assessed the mortgagefraud risks the business faced and was aware ofpotentially suspicious indicators. The IFA alsolooked at the fraud risks associated with howthe company approached the firm – e.g. the firmfelt that a cold call from a customer may pose agreater risk than those which had been referredby longstanding customers.

• An IFA did not undertake any KYC checks,considering this to be the responsibility of thelender.

• An IFA did not investigate source of funds. Thefirm stated this was because ‘a bank would pick itup and report it.’

• An IFA did not undertake extra verification of itsnon face-to-face customers.

Box 10.16: Mortgage fraud


• An IFA obtained full reference checks (proof ofidentity, eligibility to work and credit checks)prior to appointment. Original certificates orother original documentation was also requested.

• An IFA ensured that staff vetting is repeated bycompleting a credit reference check on eachmember of staff.

• An IFA set a low credit limit for each of itscompany credit cards. Bills are sent to the firmand each month the holder has to producereceipts to reconcile their claim.

• At one authorised professional firm dualsignatory requirements had to be met for allpayments made over £5,000.

• One general insurance intermediary did notundertake any background checks beforeappointing a member of staff or authenticatequalifications or references.

• Company credit card usage was not monitored orreconciled at an IFA. An IFA had the samecomputer log-on used by all staff in the office nomatter what their role.

Box 10.17: Staff/Internal fraud


46

Financial crime: a guide for firms Part 2: Financial crime thematic reviewsMortgage fraud against lenders (2011)


11 Mortgage fraud againstlenders (2011)

Who should read this chapter? This chapter is relevant, and its statements of good and poor practiceapply, to mortgage lenders within our supervisory scope. It may also be of interest to other firmswho are subject to the financial crime rules in SYSC 3.2.6R or SYSC 6.1.1R.


• Governance, culture and information sharing Box 11.1

• Applications processing and underwriting Box 11.2

• Mortgage fraud prevention, investigations and recoveries Box 11.3

• Managing relationships with conveyancers, brokers and valuers Box 11.4

• Compliance and internal audit Box 11.5


• Remuneration structures Box 11.7

• Staff training and awareness Box 11.8

11.1 In June 2011 the FSA published the findings of its thematic review into how mortgage lenders in theUK were managing the risks mortgage fraud posed to their businesses. The project population of 20banks and building societies was selected to be a representative sample of the mortgage lending market.The firms the FSA visited accounted for 56% of the mortgage market in 2010.

11.2 The FSA’s review found the industry had made progress coming to terms with the problem of containingmortgage fraud over recent years. Defences were stronger, and the value of cross-industry cooperationwas better recognised. However, the FSA found that many in the industry could do better; the FSA weredisappointed, for example, that more firms were not actively participating in the FSA’s InformationFrom Lenders scheme and other industry-wide initiatives to tackle mortgage fraud. Other areas ofconcern the FSA identified were to do with the adequacy of firms’ resources for dealing with mortgagefraud, both in terms of the number and experience of staff; and the FSA identified scope for significantimprovement in the way lenders dealt with third parties such as brokers, valuers and conveyancers.

11.3 The contents of this report are reflected in Chapter 2 (Financial crime systems and controls) andChapter 4 (Fraud) of Part 1 of this Guide.



Mortgage fraud against lenders (2011)

• A firm’s underwriting process can identifyapplications that may, based on a thoroughassessment of risk flags relevant to the firm,present a higher risk of mortgage fraud.

• Underwriters can contact all parties to theapplication process (customers, brokers, valuersetc.) to clarify aspects of the application.

• The firm verifies that deposit monies for amortgage transaction are from a legitimatesource.

• New or inexperienced underwriters receivetraining about mortgage fraud risks, potentialrisk indicators, and the firm’s approach totackling the issue.

• A firm’s underwriters have a poor understandingof potential fraud indicators, whether throughinexperience or poor training.

• Underwriters’ demanding work targets undermineefforts to contain mortgage fraud.

• Communication between the fraud team andmortgage processing staff is weak.

• A firm relying on manual underwriting has nochecklists to ensure the application process iscomplete.

• A firm requires underwriters to justify all declinedapplications to brokers.

Box 11.2: Applications processing and underwriting


• A firm routinely assesses fraud risks during thedevelopment of new mortgage products, withparticular focus on fraud when it enters new areasof the mortgage market (such as sub-prime orbuy-to-let).

• A firm’s anti-fraud efforts are uncoordinated andunder-resourced.

• Fraud investigators lack relevant experience orknowledge of mortgage fraud issues, and havereceived insufficient training.

Box 11.3: Mortgage fraud prevention, investigations, and recoveries


• A firm’s efforts to counter mortgage fraud arecoordinated, and based on consideration ofwhere anti-fraud resources can be allocated tobest effect.

• Senior management engage with mortgage fraudrisks and receive sufficient managementinformation about incidents and trends.

• A firm engages in cross-industry efforts toexchange information about fraud risks.

• A firm engages front-line business areas in anti-mortgage fraud initiatives.

• A firm fails to report relevant information to theInformation From Lenders scheme as per theguidance on IFL referrals.

• A firm fails to define mortgage fraud clearly,undermining efforts to compile statistics relatedto mortgage fraud trends.

• A firm does not allocate responsibility forcountering mortgage fraud clearly within themanagement hierarchy.

Box 11.1: Governance, culture and information sharing




http://www.fsa.gov.uk/pubs/other/mortgage_fraud.pdf


48



• A firm has identified third parties they will notdeal with, drawing on a range of internal andexternal information.

• A third party reinstated to a panel aftertermination is subject to fresh due diligencechecks.

• A firm checks that conveyancers register chargesover property with the Land Registry in goodtime, and chases this up.

• Where a conveyancer is changed during theprocessing of an application, lenders contactboth the original and new conveyancer to ensurethe change is for a legitimate reason.

• A firm checks whether third parties maintainprofessional indemnity cover.

• A firm has a risk-sensitive process for subjectingproperty valuations to independent checks.

• A firm can detect brokers ‘gaming’ their systems,for example by submitting applications designedto discover the firm’s lending thresholds, orsubmitting multiple similar applications knownto be within the firm’s lending policy.

• A firm verifies that funds are dispersed in linewith instructions held, particularly wherechanges to the Certificate of Title occur justbefore completion.

• A firm’s scrutiny of third parties is a one-offexercise; membership of a panel is not subjectto ongoing review.

• A firm’s panels are too large to be manageable.No work is undertaken to identify dormant thirdparties.

• A firm solely relies on the Financial ServicesRegister to check mortgage brokers, whilescrutiny of conveyancers only involves a check ofpublic material from the Law Society orSolicitors Regulation Authority.

• A firm that uses divisional sales managers tooversee brokers has not considered how tomanage conflicts of interest that may arise.

Box 11.4: Managing relationships with conveyancers, brokers and valuers


• A firm reviews existing mortgage books to identifyfraud indicators.

• Applications that are declined for fraudulentreasons result in a review of pipeline and backbook cases where associated fraudulent parties areidentified.

• A firm has planned how counter-fraud resourcescould be increased in response to future growth inlending volumes, including consideration of theimplications for training, recruitment andinformation technology.

• A firm documents the criteria for initiating a fraudinvestigation.

• Seeking consent from the Serious Organised CrimeAgency (SOCA) to accept mortgage paymentswherever fraud is identified.

• A firm’s internal escalation procedures are unclearand leave staff confused about when and how toreport their concerns about mortgage fraud.

Box 11.3: Mortgage fraud prevention, investigations and recoveries




Mortgage fraud against lenders (2011)

• A firm requires staff to disclose conflicts ofinterest stemming from their relationships withthird parties such as brokers or conveyancers.

• A firm has considered what enhanced vettingmethods should be applied to different roles(e.g. credit checks, criminal record checks,CIFAS staff fraud database, etc).

• A firm adopts a risk-sensitive approach tomanaging adverse information about anemployee or new candidate.

• A firm seeks to identify when a deterioration inemployees’ financial circumstances may indicateincreased vulnerability to becoming involved infraud.

• A firm uses recruitment agencies withoutunderstanding the checks they perform oncandidates, and without checking whether theycontinue to meet agreed recruitment standards.

• Staff vetting is a one-off exercise.

• Enhanced vetting techniques are applied only tostaff in Approved Persons positions.

• A firm’s vetting of temporary or contract staff isless thorough than checks on permanent staff insimilar roles.



• A firm has considered whether remunerationstructures could incentivise behaviour that mayincrease the risk of mortgage fraud.

• A firm’s bonuses related to mortgage sales willtake account of subsequent fraud losses,whether through an element of deferral or by‘clawback’ arrangements.

• The variable element of a firm’s remuneration ofmortgage salespeople is solely driven by thevolume of sales they achieve, with no adjustmentfor sales quality or other qualitative factors relatedto compliance.

• The variable element of salespeople’s remunerationis excessive.

• Staff members’ objectives fail to reflect anyconsideration of mortgage fraud prevention.

Box 11.7: Remuneration structures


• A firm has subjected anti-fraud measures to‘end-to-end’ scrutiny, to assess whether defencesare coordinated, rather than solely reviewingadherence to specific procedures in isolation.

• There is a degree of specialist anti-fraudexpertise within the compliance and internalaudit functions.

• A firm’s management of third party relationshipsis subject to only cursory oversight by complianceand internal audit.

• Compliance and internal audit staff demonstrate aweak understanding of mortgage fraud risks,because of inexperience or deficient training.

Box 11.5: Compliance and internal audit


50



• A firm’s financial crime training delivers clearmessages about mortgage fraud across theorganisation, with tailored training for staffclosest to the issues.

• A firm verifies that staff understand trainingmaterials, perhaps with a test.

• Training is updated to reflect new mortgagefraud trends and types.

• Mortgage fraud ‘champions’ offer guidance ormentoring to staff.

• A firm fails to provide adequate training onmortgage fraud, particularly to staff in higher-riskbusiness areas.

• A firm relies on staff reading up on the topic ofmortgage fraud on their own initiative, withoutproviding formal training support.

• A firm fails to ensure mortgage lending policies andprocedures are readily accessible to staff.

• A firm fails to define mortgage fraud in trainingdocuments or policies and procedures.

• Training fails to ensure all staff are aware of theirresponsibilities to report suspicions, and thechannels they should use.

Box 11.8: Staff training and awareness




Banks’ management of high money-laundering risk situations (2011)

12 Banks’ management of highmoney-laundering risksituations (2011)

Who should read this chapter? This chapter is relevant, and its statements of good and poor practiceapply, to banks we supervise under the Money Laundering Regulations 2007. Boxes 12.1 – 12.4 alsoapply to other firms we supervise under the Money Laundering Regulations that have customers whopresent a high money-laundering risk. It may be of interest to other firms we supervise under theMoney Laundering Regulations 2007.


• High risk customers and PEPs - AML policies and procedures Box 12.1

• High risk customers and PEPs - Risk assessment Box 12.2

• High risk customers and PEPs - Customer take-on Box 12.3

• High risk customers and PEPs - Enhanced monitoring of high risk relationships Box 12.4

• Correspondent banking - Risk assessment of respondent banks Box 12.5

• Correspondent banking - Customer take-on Box 12.6

• Correspondent banking - Ongoing monitoring of respondent accounts Box 12.7

• Wire transfers - Paying banks Box 12.8

• Wire transfers - Intermediary banks Box 12.9

• Wire transfers - Beneficiary banks Box 12.10

• Wire transfers - Implementation of SWIFT MT202COV Box 12.11

12.1 In June 2011 the FSA published the findings of its thematic review of how banks operating in the UKwere managing money-laundering risk in higher-risk situations. The FSA focused in particular oncorrespondent banking relationships, wire transfer payments and high-risk customers includingpolitically exposed persons (PEPs). The FSA conducted 35 visits to 27 banking groups in the UK thathad significant international activity exposing them to the AML risks on which the FSA were focusing.

12.2 The FSA’s review found no major weaknesses in banks’ compliance with the legislation relating to wiretransfers. On correspondent banking, there was a wide variance in standards with some banks carrying

52

Financial crime: a guide for firms Part 2: Financial crime thematic reviewsBanks’ management of high money-laundering risk situations (2011)


out good quality AML work, while others, particularly among the smaller banks in the FSA’s sample,carried out either inadequate due diligence or none at all.

12.3 However, the FSA’s main conclusion was that around three-quarters of banks in its sample, includingthe majority of major banks, were not always managing high-risk customers and PEP relationshipseffectively and had to do more to ensure they were not used for money laundering purposes. The FSAidentified serious weaknesses in banks’ systems and controls, as well as indications that some bankswere willing to enter into very high-risk business relationships without adequate controls when therewere potentially large profits to be made. This meant that the FSA found it likely that some banks werehandling the proceeds of corruption or other financial crime.




http://www.fsa.gov.uk/pubs/other/aml_final_report.pdf


12.6 In addition to the examples of good and poor practice below, Section 6 of the report also included casestudies illustrating relationships into which banks had entered which caused the FSA particular concern.The case studies can be accessed via the link in the paragraph above.

• Senior management take money laundering riskseriously and understand what the MoneyLaundering Regulations are trying to achieve.

• Keeping AML policies and procedures up to dateto ensure compliance with evolving legal andregulatory obligations.

• A clearly articulated definition of a PEP (and anyrelevant sub-categories) which is wellunderstood by relevant staff.

• Considering the risk posed by former PEPs and‘domestic PEPs’ on a case-by-case basis.

• Ensuring adequate due diligence has beencarried out on all customers, even if they havebeen referred by somebody who is powerful orinfluential or a senior manager.

• Providing good quality training to relevant staffon the risks posed by higher risk customersincluding PEPs and correspondent banks.

• Ensuring RMs9 and other relevant staff understandhow to manage high money laundering riskcustomers by training them on practical examplesof risk and how to mitigate it.

• A lack of commitment to AML risk managementamong senior management and key AML staff.

• Failing to conduct quality assurance work toensure AML policies and procedures are fit forpurpose and working in practice.

• Informal, undocumented processes foridentifying, classifying and declassifyingcustomers as PEPs.

• Failing to carry out enhanced due diligence oncustomers with political connections who,although they do not meet the legal definition ofa PEP, still represent a high risk of moneylaundering.

• Giving waivers from AML policies without goodreason.

• Considering the reputational risk rather than theAML risk presented by customers.

• Using group policies which do not comply fullywith UK AML legislation and regulatoryrequirements.

• Using consultants to draw up policies which arethen not implemented.

Box 12.1: High risk customers and PEPs – AML policies and procedures


9 Relationship Managers.




• Using robust risk assessment systems andcontrols appropriate to the nature, scale andcomplexities of the bank’s business.

• Considering the money-laundering risk presentedby customers, taking into account a variety offactors including, but not limited to, companystructures; political connections; country risk;the customer’s reputation; source ofwealth/funds; expected account activity; sectorrisk; and involvement in public contracts.

• Risk assessment policies which reflect the bank’srisk assessment procedures and risk appetite.

• Clear understanding and awareness of riskassessment policies, procedures, systems andcontrols among relevant staff.

• Quality assurance work to ensure risk assessmentpolicies, procedures, systems and controls areworking effectively in practice.

• Appropriately-weighted scores for risk factorswhich feed in to the overall customer riskassessment.

• A clear audit trail to show why customers arerated as high, medium or low risk.

• Allocating higher risk countries with low riskscores to avoid having to conduct EDD.

• MLROs who are too stretched or under resourcedto carry out their function appropriately.

• Failing to risk assess customers until shortlybefore an FCA visit.

• Allowing RMs to override customer risk scoreswithout sufficient evidence to support theirdecision.

• Inappropriate customer classification systemswhich make it almost impossible for a customerto be classified as high risk.

Box 12.2: High risk customers and PEPs – Risk assessment


• Keeping training material comprehensive andup-to-date, and repeating training wherenecessary to ensure relevant staff are aware ofchanges to policy and emerging risks.

• Failing to allocate adequate resources to AML.

• Failing to provide training to relevant staff onhow to comply with AML policies and proceduresfor managing high-risk customers.

• Failing to ensure policies and procedures areeasily accessible to staff.

Box 12.1: High risk customers and PEPs – AML policies and procedures


• Ensuring files contain a customer overviewcovering risk assessment, documentation,verification, expected account activity, profile ofcustomer or business relationship and ultimatebeneficial owner.

• The MLRO (and their team) have adequateoversight of all high-risk relationships.

• Failing to give due consideration to certainpolitical connections which fall outside theMoney Laundering Regulations definition of a PEP(eg wider family) which might mean that certaincustomers still need to be treated as high riskand subject to enhanced due diligence.

• Poor quality, incomplete or inconsistent CDD.

Box 12.3: High risk customers and PEPs – Customer take-on


54

Financial crime: a guide for firms Part 2: Financial crime thematic reviewsBanks’ management of high money-laundering risk situations (2011)


• Clear processes for escalating the approval ofhigh risk and all PEP customer relationships tosenior management or committees whichconsider AML risk and give appropriate challengeto RMs and the business.

• Using, where available, local knowledge andopen source internet checks to supplementcommercially available databases whenresearching potential high risk customersincluding PEPs.

• Having clear risk-based policies and proceduressetting out the EDD required for higher risk andPEP customers, particularly in relation to sourceof wealth.

• Effective challenge of RMs and business units bybanks’ AML and compliance teams, and seniormanagement.

• Reward structures for RMs which take intoaccount good AML/compliance practice ratherthan simply the amount of profit generated.

• Clearly establishing and documenting PEP andother high-risk customers’ source of wealth.

• Where money laundering risk is very high,supplementing CDD with independentintelligence reports and fully exploring andreviewing any credible allegations of criminalconduct by the customer.

• Understanding and documenting complex oropaque ownership and corporate structures andthe reasons for them.

• Face-to-face meetings and discussions withhigh-risk and PEP prospects before acceptingthem as a customer.

• Making clear judgements on money-launderingrisk which are not compromised by the potentialprofitability of new or existing relationships.

• Recognising and mitigating the risk arising fromRMs becoming too close to customers andconflicts of interest arising from RMs’remuneration structures.

• Relying on Group introductions where overseasstandards are not UK-equivalent or where CDD isinaccessible due to legal constraints.

• Inadequate analysis and challenge of informationfound in documents gathered for CDD purposes.

• Lacking evidence of formal sign-off and approvalby senior management of high-risk and PEPcustomers and failure to document appropriatelywhy the customer was within AML risk appetite.

• Failing to record adequately face-to-face meetingsthat form part of CDD.

• Failing to carry out EDD for high risk/PEPcustomers.

• Failing to conduct adequate CDD before customerrelationships are approved.

• Over-reliance on undocumented ‘staff knowledge’during the CDD process.

• Granting waivers from establishing a customer’ssource of funds, source of wealth and other CDDwithout good reason.

• Discouraging business units from carrying outadequate CDD, for example by charging them forintelligence reports.

• Failing to carry out CDD on customers becausethey were referred by senior managers.

• Failing to ensure CDD for high-risk and PEPcustomers is kept up-to-date in line with currentstandards.

• Allowing ‘cultural difficulties’ to get in the way ofproper questioning to establish required CDDrecords.

• Holding information about customers of their UKoperations in foreign countries with bankingsecrecy laws if, as a result the firm’s ability toaccess or share CDD is restricted.

• Allowing accounts to be used for purposesinconsistent with the expected activity on theaccount (e.g. personal accounts being used forbusiness) without enquiry.

• Insufficient information on source of wealth withlittle or no evidence to verify that the wealth isnot linked to crime or corruption.

• Failing to distinguish between source of fundsand source of wealth.






• Relying exclusively on commercially-available PEPdatabases and failure to make use of availableopen source information on a risk-basedapproach.

• Failing to understand the reasons for complex andopaque offshore company structures.

• Failing to ensure papers considered by approvalcommittees present a balanced view of moneylaundering risk.

• No formal procedure for escalating prospectivecustomers to committees and senior managementon a risk based approach.

• Failing to take account of credible allegations ofcriminal activity from reputable sources.

• Concluding that adverse allegations againstcustomers can be disregarded simply because theyhold an investment visa.

• Accepting regulatory and/or reputational riskwhere there is a high risk of money laundering.


Examples of poor practice:

• Transaction monitoring which takes account ofup-to-date CDD information including expectedactivity, source of wealth and source of funds.

• Regularly reviewing PEP relationships at a seniorlevel based on a full and balanced assessment ofthe source of wealth of the PEP.

• Monitoring new clients more closely to confirmor amend the expected account activity.

• A risk-based framework for assessing thenecessary frequency of relationship reviews andthe degree of scrutiny required for transactionmonitoring.

• Proactively following up gaps in, and updating,CDD during the course of a relationship.

• Ensuring transaction monitoring systems areproperly calibrated to identify higher risktransactions and reduce false positives.

• Failing to carry out regular reviews of high-riskand PEP customers in order to update CDD.

• Reviews carried out by RMs with no independentassessment by money laundering or complianceprofessionals of the quality or validity of thereview.

• Failing to disclose suspicious transactions toSOCA.

• Failing to seek consent from SOCA on suspicioustransactions before processing them.

• Unwarranted delay between identifying suspicioustransactions and disclosure to SOCA.

• Treating annual reviews as a tick-box exercise andcopying information from the previous review.

• Annual reviews which fail to assess AML risk andinstead focus on business issues such as sales ordebt repayment.

Box 12.4: High risk customers and PEPs – Enhanced monitoring of high risk relationships


56

Financial crime a guide for firms Part 2: Financial crime thematic reviewsBanks’ management of high money-laundering risk situations (2011)


• Keeping good records and a clear audit trail ofinternal suspicion reports sent to the MLRO,whether or not they are finally disclosed toSOCA.

• A good knowledge among key AML staff of abank’s highest risk/PEP customers.

• More senior involvement in resolving alertsraised for transactions on higher risk or PEPcustomer accounts, including ensuring adequateexplanation and, where necessary, corroborationof unusual transactions from RMs and/orcustomers.

• Global consistency when deciding whether tokeep or exit relationships with high-riskcustomers and PEPs.

• Assessing RMs’ performance on ongoingmonitoring and feeding this into their annualperformance assessment and pay review.

• Lower transaction monitoring alert thresholdsfor higher risk customers.

• Failing to apply enhanced ongoing monitoringtechniques to high-risk clients and PEPs.

• Failing to update CDD based on actualtransactional experience.

• Allowing junior or inexperienced staff to play akey role in ongoing monitoring of high-risk andPEP customers.

• Failing to apply sufficient challenge toexplanations from RMs and customers aboutunusual transactions.

• RMs failing to provide timely responses to alertsraised on transaction monitoring systems.

Box 12.4: High risk customers and PEPs – Enhanced monitoring of high risk relationships


• Regular assessments of correspondent bankingrisks taking into account various moneylaundering risk factors such as the country (andits AML regime); ownership/managementstructure (including the possibleimpact/influence that ultimate beneficial ownerswith political connections may have);products/operations; transaction volumes; marketsegments; the quality of the respondent’s AMLsystems and controls and any adverseinformation known about the respondent.

• More robust monitoring of respondents identifiedas presenting a higher risk.

• Risk scores that drive the frequency ofrelationship reviews.

• Taking into consideration publicly availableinformation from national government bodiesand non-governmental organisations and othercredible sources.

• Failing to consider the money-laundering risks ofcorrespondent relationships.

• Inadequate or no documented policies andprocedures setting out how to deal withrespondents.

• Applying a ‘one size fits all’ approach to duediligence with no assessment of the risks ofdoing business with respondents located inhigher risk countries.

• Failing to prioritise higher risk customers andtransactions for review.

• Failing to take into account high-risk businesstypes such as money service businesses andoffshore banks.

Box 12.5: Correspondent banking – Risk assessment of respondent banks



Financial crime a guide for firms Part 2: Financial crime thematic reviews


• Assigning clear responsibility for the CDD processand the gathering of relevant documentation.

• EDD for respondents that present greater risks orwhere there is less publicly available informationabout the respondent.

• Gathering enough information to understandclient details; ownership and management;products and offerings; transaction volumes andvalues; client market segments; clientreputation; as well as the AML controlenvironment.

• Screening the names of senior managers, ownersand controllers of respondent banks to identifyPEPs and assessing the risk that identified PEPspose.

• Independent quality assurance work to ensurethat CDD standards are up to required standardsconsistently across the bank.

• Discussing with overseas regulators and otherrelevant bodies about the AML regime in arespondent’s home country.

• Identifying risk in particular business areas (eginformal value transfer such as ‘hawala’, taxevasion, corruption) through discussions withoverseas regulators.

• Visiting, or otherwise liaising with, respondentbanks to discuss AML issues and gather CDDinformation.

• Gathering information about procedures atrespondent firms for sanctions screening andidentifying/managing PEPs.

• Understanding respondents’ processes formonitoring account activity and reportingsuspicious activity.

• Requesting details of how respondents managetheir own correspondent banking relationships.

• Senior management/senior committee sign-offfor new correspondent banking relationships andreviews of existing ones.

• Inadequate CDD on parent banks and/or groupaffiliates, particularly if the respondent is basedin a high-risk jurisdiction.

• Collecting CDD information but failing to assessthe risks.

• Over-relying on the Wolfsberg Group AMLquestionnaire.

• Failing to follow up on outstanding informationthat has been requested during the CDD process.

• Failing to follow up on issues identified duringthe CDD process.

• Relying on parent banks to conduct CDD for acorrespondent account and taking no steps toensure this has been done.

• Collecting AML policies etc but making no effortto assess them.

• Having no information on file for expectedactivity volumes and values.

• Failing to consider adverse information about therespondent or individuals connected with it.

• No senior management involvement in theapproval process for new correspondent bankrelationships or existing relationships beingreviewed.

Box 12.6: Correspondent banking – Customer take-on


58

Financial crime a guide for firms Part 2: Financial crime thematic reviewsBanks’ management of high money-laundering risk situations (2011)


• Review periods driven by the risk rating of aparticular relationship; with high riskrelationships reviewed more frequently.

• Obtaining an updated picture of the purpose ofthe account and expected activity.

• Updating screening of respondents andconnected individuals to identifyindividuals/entities with PEP connections or onrelevant sanctions lists.

• Involving senior management and AML staff inreviews of respondent relationships andconsideration of whether to maintain or exithigh-risk relationships.

• Where appropriate, using intelligence reports tohelp decide whether to maintain or exit arelationship.

• Carrying out ad-hoc reviews in light of materialchanges to the risk profile of a customer.

• Copying periodic review forms year after yearwithout challenge from senior management.

• Failing to take account of any changes to keystaff at respondent banks.

• Carrying out annual reviews of respondentrelationships but failing to consider money-laundering risk adequately.

• Failing to assess new information gathered duringongoing monitoring of a relationship.

• Failing to consider money laundering alertsgenerated since the last review.

• Relying on parent banks to carry out monitoringof respondents without understanding whatmonitoring has been done or what the monitoringfound.

• Failing to take action when respondents do notprovide satisfactory answers to reasonablequestions regarding activity on their account.

• Focusing too much on reputational or businessissues when deciding whether to exitrelationships with respondents which give rise tohigh money-laundering risk.

Box 12.7: Correspondent banking –Ongoing monitoring of respondent accounts


• Banks’ core banking systems ensure that allstatic data (name, address, account number)held on the ordering customer are automaticallyinserted in the correct lines of the outgoingMT103 payment instruction and any matchingMT202COV.

• Paying banks take insufficient steps to ensurethat all outgoing MT103s contain sufficientbeneficiary information to mitigate the risk ofcustomer funds being incorrectly blocked, delayedor rejected.

Box 12.8: Wire transfers – Paying banks





• Where practical, intermediary and beneficiarybanks delay processing payments until theyreceive complete and meaningful information onthe ordering customer.

• Intermediary and beneficiary banks have systemsthat generate an automatic investigation everytime a MT103 appears to contain inadequatepayer information.

• Following processing, risk-based sampling forinward payments identifies inadequate payerinformation.

• Search for phrases in payment messages such as‘one of our clients’ or ‘our valued customer’ in allthe main languages which may indicate a bankor customer trying to conceal their identity.

• Banks have no procedures in place to detectincoming payments containing meaningless orinadequate payer information, which couldallow payments in breach of sanctions to slipthrough unnoticed.

Box 12.9: Wire transfers – Intermediary banks


• Establishing a specialist team to undertake risk-based sampling of incoming customer payments,with subsequent detailed analysis to identify banksinitiating cross-border payments containinginadequate or meaningless payer information.

• Actively engaging in dialogue with peers about thedifficult issue of taking appropriate action againstpersistently offending banks.

• Insufficient processes to identify payments withincomplete or meaningless payer information.

Box 12.10: Wire transfers – Beneficiary banks


• Reviewing all correspondent banks’ use of theMT202 and MT202COV.

• Introducing the MT202COV as an additionalelement of the CDD review process includingwhether the local regulator expects proper useof the new message type.

• Always sending an MT103 and matchingMT202COV wherever the sending bank has acorrespondent relationship and is not in aposition to ‘self clear’ (eg for Euro paymentswithin a scheme of which the bank is amember).

• Searching relevant fields in MT202 messages forthe word ‘cover’ to detect when the MT202COV isnot being used as it should be.

• Continuing to use the MT202 for all bank-to-bankpayments, even if the payment is cover for anunderlying customer transaction.

Box 12.11: Wire transfers – Implementation of SWIFT MT202COV


60

Financial crime a guide for firms Part 2: Financial crime thematic reviewsAnti-bribery and corruption systems and controls in investment banks (2012)


13 Anti-bribery and corruptionsystems and controls ininvestment banks (2012)

Who should read this chapter? This chapter is relevant, and its statements of good and poor practiceapply to:

• investment banks and firms carrying on investment banking or similar activities in the UK;

• all other firms who are subject to our financial crime rules in SYSC 3.2.6R or 6.1.1R; and

• electronic money institutions and payment institutions within our supervisory scope.

Box 13.4 and Box 13.5 only apply to firms or institutions who use third parties to win business.


• Governance and management information (Box 13.1)

• Assessing bribery and corruption risk (Box 13.2)

• Policies and procedures (Box 13.3)

• Third party relationships and due diligence (Box 13.4)

• Payment controls (Box 13.5)

• Gifts and hospitality (Box 13.6)

• Staff recruitment and vetting (Box 13.7)

• Training and awareness (Box 13.8)

• Remuneration structures (Box 13.9)

• Incident reporting and management (Box 13.10)

13.1 In March 2012, the FSA published the findings of its review of investment banks’ anti-bribery andcorruption systems and controls. The FSA visited 15 investment banks and firms carrying oninvestment banking or similar activities in the UK to assess how they were managing bribery andcorruption risk. Although this report focused on investment banking, its findings are relevant to other sectors.



Anti-bribery and corruption systems and controls in investment banks (2012)

13.2 The FSA found that although some investment banks had completed a great deal of work to implementeffective anti-bribery and corruption controls in the months preceding its visit, the majority of themhad more work to do and some firms’ systems and controls fell short of its regulatory requirements.Weaknesses related in particular to: many firms’ limited understanding of the applicable legal andregulatory regimes, incomplete or inadequate bribery and corruption risk assessments; lack of seniormanagement oversight; and failure to monitor the effective implementation of, and compliance with,anti-bribery and corruption policies and procedures.

13.3 The contents of this report are reflected in Chapter 6 (Bribery and corruption) of Part 1 of this Guide.

13.4 You can read the findings of the FSA’s thematic review here: http://www.fsa.gov.uk/pubs/other/anti-bribery-investment-banks.pdf

• Clear, documented responsibility for anti-briberyand corruption apportioned to either a singlesenior manager or a committee with appropriateterms of reference and senior managementmembership, reporting ultimately to the Board.

• Regular and substantive MI to the Board andother relevant senior management forums,including: an overview of the bribery andcorruption risks faced by the business; systemsand controls to mitigate those risks; informationabout the effectiveness of those systems andcontrols; and legal and regulatory developments.

• Where relevant, MI includes information aboutthird parties, including (but not limited to) newthird-party accounts, their risk classification,higher risk third-party payments for thepreceding period, changes to third-party bankaccount details and unusually high commissionpaid to third parties.

• MI submitted to the Board ensures they areadequately informed of any externaldevelopments relevant to bribery and corruption.

• Actions taken or proposed in response to issueshighlighted by MI are minuted and acted onappropriately.

• Failing to establish an effective governanceframework to address bribery and corruption risk.

• Failing to allocate responsibility for anti-briberyand corruption to a single senior manager or anappropriately formed committee.

• Little or no MI sent to the Board about briberyand corruption issues, including legislative orregulatory developments, emerging risks andhigher risk third-party relationships or payments.

Box 13.1: Governance and management information (MI)


http://www.fsa.gov.uk/pubs/other/anti-bribery-investment-banks.pdf

62



Box 13.2 Assessing bribery and corruption risk

Examples of good practice

• Responsibility for carrying out a risk assessmentand keeping it up-to-date is clearly apportionedto an individual or a group of individuals withsufficient levels of expertise and seniority.

• The firm takes adequate steps to identify thebribery and corruption risk. Where internalknowledge and understanding of corruption risk is limited, the firm supplements this withexternal expertise.

• Risk assessment is a continuous process based onqualitative and relevant information availablefrom internal and external sources.

• Firms consider the potential conflicts of interestwhich might lead business units to downplay thelevel of bribery and corruption risk to which theyare exposed.

• The bribery and corruption risk assessmentinforms the development of monitoringprogrammes; policies and procedures; training;and operational processes.

• The risk assessment demonstrates an awarenessand understanding of firms’ legal and regulatoryobligations.

• The firm assesses where risks are greater andconcentrates its resources accordingly.

• The firm considers financial crime risk whendesigning new products and services.

Examples of poor practice

• The risk assessment is a one-off exercise.

• Efforts to understand the risk assessment arepiecemeal and lack coordination.

• Risk assessments are incomplete and too generic.

• Firms do not satisfy themselves that staffinvolved in risk assessment are sufficiently awareof, or sensitised to, bribery and corruption issues.




Box 13.3: Policies and procedures


• The firm clearly sets out the behaviour expectedof those acting on its behalf.

• Firms have conducted a gap analysis of existingbribery and corruption procedures againstapplicable legislation, regulations and guidanceand made necessary enhancements.

• The firm has a defined process in place fordealing with breaches of policy.

• The team responsible for ensuring the firm’scompliance with its anti-bribery and corruptionobligations engages with the business units about the development and implementation ofanti-bribery and corruption systems and controls.

• anti-bribery and corruption policies and procedureswill vary depending on a firm’s exposure to briberyand corruption risk. But in most cases, firms shouldhave policies and procedures which cover expectedstandards of behaviour; escalation processes;conflicts of interest; expenses, giftsand hospitality; the use of third parties to win

business; whistleblowing; monitoring and reviewmechanisms; and disciplinary sanctions forbreaches. These policies need not be in a single‘ABC policy’ document and may be contained inseparate policies.

• There should be an effective mechanism forreporting issues to the team or committeeresponsible for ensuring compliance with thefirm’s anti-bribery and corruption obligations.


• The firm has no method in place to monitor andassess staff compliance with anti-bribery andcorruption policies and procedures.

• Staff responsible for the implementation andmonitoring of anti-bribery and corruption policiesand procedures have inadequate expertise onbribery and corruption.



Box 13.4: Third-party relationships and due diligence


• Where third parties are used to generate business,these relationships are subject to thorough duediligence and management oversight.

• Third-party relationships are reviewed regularlyand in sufficient detail to confirm that they arestill necessary and appropriate to continue.

• There are higher, or extra, levels of due diligenceand approval for high risk third-partyrelationships.

• There is appropriate scrutiny of, and approval for,relationships with third parties that introducebusiness to the firm.

• The firm’s compliance function has oversight ofall third-party relationships and monitors this listto identify risk indicators, eg a third party’spolitical or public service connections.

• Evidence that a risk-based approach has beenadopted to identify higher risk relationships inorder to apply enhanced due diligence.

• Enhanced due diligence procedures include areview of the third party’s own anti-bribery andcorruption controls.

• Consideration, where appropriate, of complianceinvolvement in interviewing consultants and theprovision of anti-bribery and corruption trainingto consultants.

• Inclusion of anti-bribery and corruption-specificclauses and appropriate protections in contractswith third parties.


• A firm using intermediaries fails to satisfy itselfthat those businesses have adequate controls todetect and prevent staff using bribery orcorruption to generate business.

• The firm fails to establish and record an adequatecommercial rationale for using the services ofthird parties.

• The firm is unable to produce a list of approvedthird parties, associated due diligence and detailsof payments made to them.

• There is no checking of compliance’s operationalrole in approving new third-party relationshipsand accounts.

• A firm assumes that long-standing third-partyrelationships present no bribery or corruptionrisk.

• A firm relies exclusively on informal means, such as staff’s personal knowledge, to assess the bribery and corruption risk associated withthird parties.

• No prescribed take-on process for new third-partyrelationships.

• A firm does not keep full records of due diligenceon third parties and cannot evidence that it hasconsidered the bribery and corruption riskassociated with a third-party relationship.

• The firm cannot provide evidence of appropriatechecks to identify whether introducers andconsultants are PEPs.

• Failure to demonstrate that due diligenceinformation in another language has beenunderstood by the firm.






• Ensuring adequate due diligence on and approvalof third-party relationships before payments aremade to the third party.

• Risk-based approval procedures for payments anda clear understanding of the reason for allpayments.

• Checking third-party payments individually priorto approval, to ensure consistency with thebusiness case for that account.

• Regular and thorough monitoring of third-partypayments to check, for example, whether apayment is unusual in the context of previoussimilar payments.

• A healthily sceptical approach to approving third-party payments.

• Adequate due diligence on new suppliers beingadded to the Accounts Payable system.

• Clear limits on staff expenditure, which are fullydocumented, communicated to staff andenforced.

• Limiting third-party payments from AccountsPayable to reimbursements of genuine business-related costs or reasonable hospitality.

• Ensuring the reasons for third-party payments viaAccounts Payable are clearly documented andappropriately approved.

• The facility to produce accurate MI to assisteffective payment monitoring.


• Failing to check whether third parties to whom payments are due have been subject to appropriate due diligence and approval.

• Failing to produce regular third-party paymentschedules for review.

• Failing to check thoroughly the nature,reasonableness and appropriateness of gifts and hospitality.

• No absolute limits on different types ofexpenditure, combined with inadequate scrutiny during the approvals process.



Box 13.6: Gifts and hospitality (G&H)


• Policies and procedures clearly define theapproval process and the limits applicable to G&H.

• Processes for filtering G&H by employee, clientand type of hospitality for analysis.

• Processes to identify unusual or unauthorisedG&H and deviations from approval limits for G&H.

• Staff are trained on G&H policies to an extentappropriate to their role, in terms of bothcontent and frequency, and regularly reminded to disclose G&H in line with policy.

• Cash or cash-equivalent gifts are prohibited.

• Political and charitable donations are approved at an appropriate level, with input from theappropriate control function, and subject toappropriate due diligence.


• Senior management do not set a good example to staff on G&H policies.

• Acceptable limits and the approval process are not defined.

• The G&H policy is not kept up-to-date.

• G&H and levels of staff compliance with related policies are not monitored.

• No steps are taken to minimise the risk of gifts going unrecorded.

• Failure to record a clear rationale for approvinggifts that fall outside set thresholds.

• Failure to check whether charities being donated to are linked to to relevant political or administrative decision-makers.



• Vetting staff on a risk-based approach, takinginto account financial crime risk.

• Enhanced vetting – including checks of creditrecords, criminal records, financial sanctions lists,commercially-available intelligence databases –for staff in roles with higher bribery andcorruption risk.

• Conducting periodic checks to ensure thatagencies are complying with agreed vettingstandards.


• Failing to carry out ongoing checks to identifychanges that could affect an individual’s integrityand suitability.

• No risk-based processes for identifying staff whoare PEPs or otherwise connected to relevantpolitical or administrative decision-makers.

• Where employment agencies are used to recruitstaff, failing to demonstrate a clearunderstanding of the checks these agencies carryout on prospective staff.

• Temporary or contract staff receiving less rigorousvetting than permanently employed colleaguescarrying out similar roles.




Boxes 13.8: Training and awareness


• Providing good quality, standard training on anti-bribery and corruption for all staff.

• Ensuring training covers relevant and practicalexamples.

• Keeping training material and staff knowledge up-to-date.

• Awareness-raising initiatives, such as specialcampaigns and events to support routine training,are organised.


• Failing to provide training on ABC that istargeted at staff with greater exposure to briberyand corruption risks.

• Failing to monitor and measure the quality andeffectiveness of training.

Box 13.9: Remuneration structures


• Remuneration takes account of good compliance behaviour, not simply the amount of business generated.

• Identifying higher-risk functions from a briberyand corruption perspective and reviewingremuneration structures to ensure they do notencourage unacceptable risk taking.


• Failing to reflect poor staff compliance with anti-bribery and corruption policy and proceduresin staff appraisals and remuneration.

Box 13.10: Incident reporting and management


• Clear procedures for whistleblowing and thereporting of suspicions, which are communicatedto staff.

• Details about whistleblowing hotlines are visibleand accessible to staff.

• Where whistleblowing hotlines are not provided,firms should consider measures to allow staff toraise concerns in confidence or, where possible,anonymously, with adequate levels of protectionand communicate this clearly to staff.

• Firms use information gathered fromwhistleblowing and internal complaints to assessthe effectiveness of their anti-bribery andcorruption policies and procedures.


• Failing to maintain proper records of incidentsand complaints.


Financial crime a guide for firms Part 2: Financial crime thematic reviewsBanks’ defences against investment fraud (2012)

14 Banks’ defences againstinvestment fraud (2012)

Who should read this chapter? This chapter is relevant, and its statements of good and poor practiceapply, to deposit-taking institutions with retail customers.


• Governance (Box 14.1)

• Risk assessment (Box 14.2)

• Detecting perpetrators (Box 14.3)

• Automated monitoring (Box 14.4)

• Protecting victims (Box 14.5)

• Management reporting and escalation of suspicions (Box 14.6)

• Staff awareness (Box 14.7)

• Use of industry intelligence (Box 14.8)

14.1 The FSA’s thematic review, Bank’s defences against investment fraud, published in June 2012, set outthe findings of its visits to seven retail banks and one building society to assess the systems and controlsin place to contain the risks posed by investment fraudsters.

14.2 UK consumers are targeted by share-sale frauds and other scams including land-banking frauds,unauthorised collective investment schemes and Ponzi schemes. Customers of UK deposit-takers mayfall victim to these frauds, or be complicit in them.

14.3 The contents of this report are reflected in new Box 4.5 in Chapter 4 (Fraud) of Part 1 of this Guide.


14.4 You can read the findings of the FSA’s thematic review here:http://www.fsa.gov.uk/static/pubs/other/banks-defences-against-investment-fraud.pdf

http://www.fsa.gov.uk/static/pubs/other/banks-defences-against-investment-fraud.pdf



Banks’ defences against investment fraud (2012)


Box 14.1: Governance


• A bank can demonstrate senior managementownership and understanding of fraud affectingcustomers, including investment fraud.

• There is a clear organisational structure foraddressing the risk to customers and the bankarising from fraud, including investment fraud.There is evidence of appropriate informationmoving across this governance structure thatdemonstrates its effectiveness in use.

• A bank has recognised subject matter experts oninvestment fraud supporting or leading theinvestigation process.

• A bank seeks to measure its performance inpreventing detriment to customers.

• When assessing the case for measures to prevent financial crime, a bank considers benefitsto customers, as well as the financial impact on the bank.


• A bank lacks a clear structure for the governanceof investment fraud or for escalating issuesrelating to investment fraud. Respectiveresponsibilities are not clear.

• A bank lacks a clear rationale for allocatingresources to protecting customers frominvestment fraud.

• A bank lacks documented policies and proceduresrelating to investment fraud.

• There a lack of communication between a bank’sAML and fraud teams on investment fraud.

Box 14.2: Risk assessment


• A bank regularly assesses the risk to itself and itscustomers of losses from fraud, includinginvestment fraud, in accordance with theirestablished risk management framework. The riskassessment does not only cover situations wherethe bank could suffer losses, but also wherecustomers could lose and not be reimbursed bythe bank. Resource allocation and mitigationmeasures are also informed by this assessment.

• A bank performs ‘horizon scanning’ work toidentify changes in the fraud types relevant tothe bank and its customers.


• A bank has performed no risk assessment thatconsiders the risk to customers from investmentfraud.

• A bank’s regulatory compliance, risk managementand internal audit functions’ assurance activitiesdo not effectively challenge the risk assessmentframework.


Box 14.3: Detecting perpetrators


• A bank’s procedures for opening commercialaccounts include an assessment of the risk of thecustomer, based on the proposed business type,location and structure.

• Account opening information is used tocategorise a customer relationship according toits risk. The bank then applies different levels oftransaction monitoring based on this assessment.

• A bank screens new customers to prevent thetake-on of possible investment fraud perpetrators.


• A bank only performs the customer riskassessment at account set up and does notupdating this through the course of therelationship.

• A bank does not use account set up information(such as anticipated turnover) in transactionmonitoring.

• A bank allocates excessive numbers of commercialaccounts to a staff member to monitor, renderingthe ongoing monitoring ineffective.

• A bank allocates responsibility for the ongoingmonitoring of the customer to customer-facingstaff with many other conflicting responsibilities.


Box 14.4: Automated monitoring


• A bank undertakes real-time payment screeningagainst data about investment fraud from crediblesources.

• There is clear governance of real time paymentscreening. The quality of alerts (rather thansimply the volume of false positives) is activelyconsidered.

• Investment fraud subject matter experts areinvolved in the setting of monitoring rules.

• Automated monitoring programmes reflectinsights from risk assessments or vulnerablecustomer initiatives.

• A bank has monitoring rules designed to detectspecific types of investment fraud e.g. boilerroom fraud.

• A bank reviews accounts after risk triggers aretripped (such as the raising of a SAR) in a timelyfashion.

• When alerts are raised, a bank checks againstaccount-opening information to identify anyinconsistencies with expectations.


• A bank fails to use information about known orsuspected perpetrators of investment fraud in itsfinancial crime prevention systems.

• A bank does not consider investment fraud in thedevelopment of monitoring rules.

• The design of rules cannot be amended to reflectthe changing nature of the risk being monitored.



Banks’ defences against investment fraud (2012)

Box 14.5: Protecting victims


• A bank contacts customers in the event theysuspect a payment is being made to aninvestment fraudster.

• A bank places material on investment fraud on its website.

• A bank adopts alternative customer awarenessapproaches, such as mailing customers andbranch awareness initiatives.

• Work to detect and prevent investment fraud is integrated with a bank’s vulnerablecustomers initiative.


• Communication with customers on fraud justcovers types of fraud for which the bank may befinancially liable, rather than fraud the customermight be exposed to.

• A bank has no material on investment fraud onits website.

• Failing to contact customers they suspect aremaking payments to investment fraudsters ongrounds that this constitutes ‘investment advice’.

Box 14.6: Management reporting and escalation of suspicions


• A specific team focuses on investigating theperpetrators of investment fraud.

• A bank’s fraud statistics include figures for lossesknown or suspected to have been incurred bycustomers.


• There is little reporting to senior management onthe extent of investment fraud (whether victimsor perpetrators) in a bank’s customer base.

• A bank is unable to access information on howmany of the bank’s customers have become thevictims of investment fraud.

Box 14.7: Staff awareness


• Making good use of internal experience ofinvestment fraud to provide rich and engagingtraining material.

• A wide-range of materials are available that coverinvestment fraud.

• Awards are given on occasion to frontline staffwhen a noteworthy fraud is identified.

• Training material is tailored to the experience ofspecific areas such as branch and relationshipmanagement teams.


• Training material only covers boiler rooms.

• A bank’s training material is out-of-date.



Box 14.8: Use of industry intelligence


• A bank participates in cross-industry forums onfraud and boiler rooms and makes active use ofintelligence gained from these initiatives in, for example, its transaction monitoring andscreening efforts.

• A bank takes measures to identify new fraudtypologies. It joins-up internal intelligence,external intelligence, its own risk assessment and measures to address this risk.


• A bank fails to act on actionable, credibleintelligence shared at industry forums or receivedfrom other authoritative sources such as the FCAor City of London Police.

The Financial Conduct Authority25 The North Colonnade Canary Wharf London E14 5HSTelephone: +44 (0)20 7066 1000 Fax: +44 (0)20 7066 1099Website: www.fca.org.ukRegistered as a Limited Company in England and Wales No. 1920623. Registered Office as above.

financial crime: a guide for firms - part 2 - fca handbook · 1.1 part 2 of financial crime: a...

Documents