May not cover factors relevant to a particular situation or circumstance.
Frequently Asked Questions
Click Questions to see example responses, some of which include embedded links to reference sources.
Compliance or Quality Assurance (‘QA’) checks effectiveness of deployment of internal process and procedure (e.g. Is a consistent approach applied to the identification of and response to risk, via the adoption of senior management agreed protocols and standards).
Examples of high-level review activity
Testing focuses on assessment of the documented framework, oriented towards checking completeness of coverage (or conducting a gap analysis of existing content), such as:
Review policies and procedures in relation to anti-money laundering (‘AML’) and Combating the Financing of Terrorism (‘CFT’), to assess their content for consistency with requirements of, The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended) (‘MLR 2017’) and UK Good Practice, per Guidance published by the Joint Money Laundering Steering Group.
Review design of the firm’s arrangements to implement AML/CFT and Financial Sanctions policies, procedures and controls.
Review design of the firm’s arrangements to implement anti-bribery ‘adequate procedure’ arrangements in documented policies, procedures and controls.
Review design of the Quality Assurance framework and its coverage of relevant procedures and controls.
Review internal reporting procedures, such as used for the Reporting of Suspected Money Laundering, the Fraud Response Plan, Whistle-blowing, etc.
Examples of detailed review activity
Testing focuses on process validation and identifying enhancement needed, if any, to improve process design and output quality. Testing often uses a sample-based approach, oriented towards verifying a population of previously completed activity, such as: a collection of:
Customer due diligence files.
Transaction monitoring alerts.
Payment screening alerts.
Testing a reasonable cross-section or sample of completed work (or workflow elements) also provides a more holistic view on employee understanding, awareness and the effectiveness of their adoption of internal process and procedure, via a combination of:
Assessing the application of policy, procedure and minimum standards in operational activity (e.g. via sample-based, ad-hoc or thematic testing).
Interviewing personnel responsible for implementing procedures and minimum standards.
Interviewing policy and risk-owners to assess how oversight is applied to processes, controls and their effectiveness.
Reviewing the recording of, and response to, risk-events and policy breaches.
Whereas QA relates to independent persons testing activity previously completed by a team or function, Quality Control (‘QC’) is undertaken as part of a team or function’s workflow prior to sign-off of a completed process. QC might be the last process element used to determine whether activity has been completed, or if rework is required before approval or sign-off of a deliverable. QC is aligned to inspecting individual cases to check and ensure, or validate, that activity completed is consistent with applicable requirements and to an acceptable quality.
QC validation (often referred to as ‘4-eyes’ checking) focuses on ensuring that pre-defined requirements to produce a deliverable have been completed or, where found to be incomplete, the necessary remedial work is undertaken before sign-off/finalisation.
QC is usually completed as part of business-as-usual (‘BAU’) activity, possibly by a team leader or someone within a BAU team with responsibility for conducting 4-eyes checks.
Quality Assurance (‘QA’)
Quality Control (‘QC’)
Focus on systemic assurance in quality achieved across a population (e.g. collection of customer files).
Focus on ensuring fulfilment of required quality at a tactical level (e.g. individual customer file).
Aims to prevent systemic defect, via independent check & challenge of BAU activity.
Aims to identify and remediate tactical defect as part of BAU workflow.
Assess overall quality and consistency of procedure application – Verification.
Check conformity with applicable procedure – Validation.
Does not involve repeating detailed deployment of a process or procedure.
Always involves a level of detailed validation (or repeating) of how a process or procedure is applied.
Preventive tool to identify systems and controls risk in the operational environment.
Corrective tool to identify issue/anomaly prior to finalisation of a BAU activity/deliverable.
Proactive measure of effectiveness of policy and procedure deployment across a functional area.
Reactive measure of policy and procedure deployment, as applied in a BAU process or to an underlying activity.
Often involves end-to-end or broad-based review of how procedure is implemented in a process life-cycle.
Often involves detailed validation of procedure adoption in process segments.
Findings and outcomes inform senior management awareness on systems and controls risk.
Outcomes inform team/function management on adherence to process and procedure.
QA aims to prevent current and future defect/anomaly in the overall framework, whereas QC focuses ensuring application of existing requirements.
QA is a proactive measure to address control risk in how business is done, whereas QC is a reactive measure to ensure adoption of the existing internal process.
The ‘three lines of defence’ is a non-prescriptive model applied in the internal control framework of many firms regulated by the Financial Conduct Authority (‘FCA’). Formality of and responsibility for leading a defence within a regulated firm's framework, is considered by the FCA when assessing firms functional segregations and reporting structures (e.g. as part of an FCA visit).
First line of defence ('1LOD')
The arrangements within a firm to manage risk in business-as-usual ('BAU') activity (e.g. customer-facing operations, plus middle and back-office support):
Controls are designed into systems and processes, with risk ownership sitting in the first line.
Assuming that the design is appropriate to mitigate risk, compliance with BAU process should provide for an adequate control environment.
1LOD should include adequate managerial and oversight arrangements to ensure compliance; and also, to identify and report any material control weakness or inadequacy identified in an existing process, to respond to current, new or emerging risk.
Second line of defence ('2LOD')
Supported by the advisory and monitoring functions of Risk Management and Compliance, and often via a delegated committee/functional framework, 2LOD oversees effectiveness of implementation of the internal control framework:
Committees review how financial crime risk is managed in BAU, particularly with regard to senior management's risk appetite for the business.
Effectiveness of 2LOD oversight is influenced by committee membership and structure, terms of reference, competence of forum members and quality of management information or Key risk Indicators (‘KRI’) presented to (or requested by) oversight committees.
Significant findings/risks would usually be reported to an appropriate risk oversight committee, attended by one or more members of the executive; and/or to the Board Audit and/or Risk Committee in the 3rd line (depending upon a group or firm's committee structures).
Third line of defence ('3LOD')
Independent assurance and executive challenge:
Provided by the Board Audit Committee, a committee of non-executive directors chaired by the senior independent director, and the internal audit function.
Internal Audit reports on its delivery of a scheduled plan of risk based audits covering 1LOD and 2LOD responsibilities (including coverage of financial crime).
Where appropriate, Internal Audit might place some reliance on assurance work done by 2LOD committees/functions, to help inform a view on the effectiveness of (part of) a firm's financial crime framework,
Compliance monitoring is the application of quality assurance testing on the day to day activities of the business. The Compliance Monitoring Officer (or Team in larger firms) is usually an independent function within 2LOD, which provides reports of review findings and recommendations to senior management (e.g. following testing of effectiveness of 1LOD’s application of internal controls).
Review activity undertaken as part of an overall Compliance Monitoring Plan (‘CMP’), should be oriented to the structure and risks facing the business, or business areas to be reviewed. CMP content may comprise a library or blend of:
Activity which is local or oriented towards specific business unit risks.
Activity which is Group driven or provides cross-divisional assurance coverage.
Standard routines repeated on a periodic basis (e.g. prioritising higher risk areas).
Ad-hoc or targeted review (e.g. testing new procedure implementation and embedding).
Follow-up review (e.g. to check or verify progress made on previously agreed actions).
CMP review planning should:
Reflect the scale and complexity of the business area(s) to be reviewed.
Consider regulatory expectations (e.g. see ’FCA Financial Crime Guide’ - includes good and poor practice examples when managing money laundering risk).
Consider peer-group good practice (e.g. see ’Guidance’ published by the Joint Money Laundering Steering Group).
Involve consultation with key stakeholders who may have views on test area coverage (e.g. the Money Laundering Reporting Officer (‘MLRO’) is the person responsible for oversight of a regulated firm’s anti-money laundering (‘AML’) systems, per FCA Handbook SYSC 3.2.6).
Documenting Review Scope
Artefact development for each review might ordinarily cover:
Description of the nature and scope of testing to be carried out;
Timelines or scheduling for periodic and thematic activity;
Regulatory requirements, internal policy, procedure or Standard Operating Principles, against which assurance-testing will be undertaken;
Key sources, such as, information, data and people (or teams) to be covered by review activity;
Any known exceptions or, derogations to policy or procedure, applicable to the proposed review scope;
Defining the role of person(s) responsible for conducting testing (e.g. Compliance Officer, Financial Crime Compliance Officer, etc.);
Sample size and sourcing considerations;
Indicating where and how review findings will be recorded, including recommendations and actions arising;
Identifying persons/forums to receive review findings (e.g. risk owners, committees, etc.); and
Where fieldwork and supporting information should be stored for audit trail purposes.
Findings of CMP review activity should:
Aid inform understanding of how risk is managed in the business.
Help identify if material weakness exists in systems and controls.
Inform awareness on how regulatory risk is covered (and responded to).
Enable senior management to assess whether:
The business operates within risk-appetite / tolerance; and
Existing systems, controls and resourcing are adequate.
An appropriate sample is one which provides confidence that findings of a review of the sample selected will be representative of the total population, within an acceptable level of confidence or margin for error - For example, if you use a confidence interval of 5 and 56% of the sample reviewed identified an issue (say ‘X’), you can be fairly sure that if you had tested the same point in the wider population, between 51% (56-5) and 61% (56+5) would have identified the same issue (i.e. ‘X’).
The relevant period to be covered by QA testing is defined in a firm’s risk-based approach. The simple model illustrated in the table below suggests verification is conducted on all higher-risk customers on-boarded in the month, with other customer risk classes covered by a reducing ratio of randomly selected cases:
New Customer on-boarding (Month)
Margin for Error
Example factors relevant to sample selection:
Imperfection - A sample is unlikely to perfectly represent the total population. Consequently, error or inconsistency will creep into review outcomes. The margin for error depends on how much you are willing to accept. The lower the margin the bigger the sample required, with more work effort needed to complete a review.
Inaccessibility – Variance in completeness, nature, volume and location or availability of supporting data, documents or other information can influence error.
Inconsistency – Non-uniformity in data or supporting record, or variance in local working practices can impact consistency of sampled content.
Selection – Failure to source a random sample, where needed, could lead to wilful or deliberate blindness in egregious cases, or unwanted bias in others.
Confidence Level – Indicating a level of certainty that a parameter falls within a confidence interval. Commonly adopted intervals are 90%, 95% or 99%. Higher confidence levels require larger sample sizes.
Reviewer capability – Where subject matter expertise is needed to review/assess how risk is addressed or the effectiveness of an internal control, interpretation error can creep in to review findings if a reviewer lacks sufficient awareness of risk triggers.
This FAQ is not intended to be a briefing on statistical analysis, but notes that achieving a higher degree of confidence (i.e. of sample findings being more representative of the total population), a large sample size may be required. However, a risk-based approach provides opportunity to balance effort needed with the potential for risk and an acknowledged margin for error.
Example online tools to aid sample size selection include*:
* FCRM is not associated with providers of these example tools, nor do we endorse their functionality over and above others which may be openly available. Links are provided for information purposes only, with any decision to use them being entirely at your own risk.
It is important to be clear as to where ‘Key risk’ is identified and where risk ownership resides (or should reside), particularly when remedial activity may be needed to provide a fix or implement a compliant solution. This may occur when, for example, material non-conformance with a regulatory requirement has been identified, or where it is not possible to demonstrate conformance with a regulatory requirement (e.g. the Money Laundering Regulations require firms must apply enhanced customer due diligence measures and enhanced ongoing monitoring (in addition to customer due diligence measures), to manage and mitigate the risks arising in certain higher risk cases).
In addition to the risk of prosecution for non-compliance with a legal requirement, a regulated firm’s inability to respond to relevant higher risk cases could be a red-flag alert to a regulator, about the particular firm’s approach to financial crime risk management, its internal culture and/or the firm’s senior management arrangements.
Where possible, review findings should be clear on the how and where non-compliance is identified, such as:
Do findings relate to the work done by one individual in a team, or is the issue more widespread and indicative of broader systemic risk (e.g. inadequate policy, procedure or practice, or a general failure to apply procedural requirements)?
Do findings identify the locus or ‘risk-centre’ where a material or significant deficiency has been identified in operational activity, but responsibility for a solution sits elsewhere (e.g. an IT system-dependency, where the area reviewed is an end-user of a bank-wide system but not the system owner, who operates out of a different risk-centre (e.g. Operations IT))?
Do findings indicate a gap exists in the internal framework (e.g. previous updates to regulatory requirements have not been implemented into internal process, due to lack of awareness of the regulatory change or ownership for their implementation, etc.)
As well as the ‘how’ and ‘where’, senior management need information to understand the risk-significance (or materiality) of any non-compliance identified. One way of doing this is to apply a rating or score to indicate relative ‘Significance’ of an issue, where: Priority Risk Rating = Consequence x Likelihood.
Where a firm already utilises an effective risk-rating framework the same approach should be adopted for consistency. Where an in-house approach does not exist or is in early stage development, the simple 3-element model below might be useful to incorporate or amend for use within a firm.
Business Impact (examples)
Significant non-compliance with regulation, exposing the firm to risk of regulatory intervention, sanction or enforcement.
Significant non-conformity to Policy exposing the firm to operating/transacting outside of risk-appetite.
Significant non-compliance with internal procedure, or systemic manipulation (or over-ride) of internal controls.
Non-compliance with regulation, exposing firm to risk of regulatory review/challenge of control effectiveness.
Non-conformity to Policy with adverse impact on firm’s financial crime controls and/or increased regulatory risk potential.
Non-compliance with internal procedure or material control gap identified, impacting firm’s risk-management framework.
Anomaly indicates clarification needed in procedure content or improvement to operational deployment.
Risk is addressed but improvement needed in transparency of decisioning and/or associated audit trail completeness.
Local non-compliance with, or misunderstanding of operating procedure which, if not remedied, could lead to systemic risk.
Consequences do not impact financial crime risk-management, but indicate a failure to accomplish a business objective (e.g. workflow efficiency, throughput, etc.).
Consequences do not present financial crime risk, but indicate administrative failure in the end-to-end business process.
How likely is this event to occur?
Highly likely, this risk/event is expected to occur.
Strong possibility that a risk/event will occur and sufficient reliable trend analysis or historical data (e.g. internal incidence data, external reporting by regulators’, etc.) supports the assessment.
Risk/event may occur at some point in the next [1 - 3 years], although reliable historical data is not currently available to support the assessment.
Not expected, but a remote/slight possibility the risk/event may occur.
Highly unlikely, but might occur in unique circumstances, or if a material change occurs in the business or BAU activity.
Priority Risk Rating
Priority recommendations or proposals, etc.
1 - 2
Define immediate option(s)/action(s) to mitigate identified risk(s).
Ensure immediate senior management awareness of and involvement in decisioning / response.
Assess need for timely self-reporting to regulator/other body.
Prepare action plan with timelines, ownership and deliverables.
3 - 4
Propose action(s)/next steps to address identified risk(s).
Ensure timely senior management awareness and involvement in next steps/response.
Assess need for inclusion in regulatory reporting/updates.
Monitor for change in risk profile / risk-mitigation needs.
5 - 7
8 - 14
Propose action(s)/next steps to address identified risk.
Ensure reporting via governance framework to senior management.
Monitor for change in risk profile / risk-mitigation needs.
15 - 19
Risk should be assessed on a periodic basis, but does not pose serious threat to the firm at the present time.
20 - 25
Example Influences - QA
Factors influencing QA testing include:
QA resource availability (e.g. independent of the team/system whose work is tested).
Review priorities (e.g. scheduled or proposed QA activity might change in response to new/emerging risk being identified).
Population size (e.g. reviewing c.25% of a total population of 5,000 is a much bigger task than, say, reviewing c.25% of a population of 100).
Review period coverage (e.g. weekly, monthly, quarterly, etc.).
Confidence in QC capability (e.g. where 4-eyes quality control in BAU workflow operates effectively, the nature and scope of QA activity might be oriented to focus on higher-risk attributes and key decision points than, say, relatively lower risk attributes or decision points in a workflow process).
Known issues management (e.g. where a known issue exists which is already subject to senior management awareness and oversight of previously agreed remedial activity, there is little value in reporting what is already known - save where review scope incorporates remediation response).
Example Influences - QC
Factors influencing QC capability include:
QC resource availability (e.g. independent of the person who completed a particular task, but often in close proximity to aid timely review and feedback, or to initiate/complete any necessary remedial action required before applying sign-off approval).
Timing (e.g. should be factored into BAU arrangements and completed before finalisation or sign-off of workflow activity).
Tools/capability (e.g. evidencing QC review, such as, use of ‘tick-sheets’, issue capture and BAU feedback processes, etc. ).
Findings should be measurable and used to inform senior management view on, whether:
Internal process and procedure are appropriately documented.
Process and procedure are understood, deployed effectively and applied consistently in the area reviewed.
Output achieved from a process is of the right quality.
Findings align to senior management risk-appetite (and regulatory requirements, where applicable).
New/emerging risk is identified, which requires notification to senior management (or approved governance forum, such as, a Risk Committee).
Improvement is needed in a process design, or an enhancement to procedure content or its application.
Remedial activity has been / is being delivered within previously defined remediation requirements.
QC (4-eyes) Outcomes
Findings should provide team/functional management with a view on, whether:
Internal process and procedure are appropriately understood and implemented.
Workflow/task completion conforms to applicable procedure – or if misunderstanding of procedure content or a systems dependency causes problems.
BAU output is of the right quality.
Improvement is needed in BAU application of process or procedure.
Material training / awareness needs have been identified.
Raise awareness in the workforce of a need to ensure application of senior management approved protocols and standards on how business is done.
Inform management and other internal stakeholders on effectiveness of application of protocols and standards.
Identify opportunity to recommend improvement/enhancement to senior management, on the content and application of internal protocols and standards.
Enable the firm to demonstrate to external parties, if needed (e.g. regulators, customers, government agencies, certifying bodies, and other third parties) measures in place to ensure compliance with legal and regulatory requirements, and which serve to provide confidence that business processes fulfil quality requirements.
Validate quality of BAU output / deliverables.
Embed awareness of BAU application of process and procedure.
Inform the basis of timely feedback to BAU team (where needed) on quality issues identified via 4-eyes checks.
Inform management on the application of process and procedure, and BAU quality.