Financial Crime Risk Management

Financial Crime Framework - FAQ

May not cover factors relevant to a particular situation or circumstance.


Frequently Asked Questions

Click Questions to see example responses, some of which include embedded links to reference sources.


A clearly documented Financial Crime Framework provides transparency and structure against which to develop and maintain consistency of approach to managing financial crime risk. The framework should apply to the firm, business or group for which it has been developed. The underlying level of detail required will be informed by the nature and complexity of the organisation to which it relates, as well as being driven by the needs/expectations of senior management (e.g. risk appetite).

Framework’s typically cover activity undertaken in the first and second lines of defence, but might also incorporate third line activity or review themes - Where:

  • First line - Owns operating risk. Typically comprises front office (e.g. sales and client facing teams) plus any middle and back-office support to front line operations;
  • Second line – Does not own operating risk. Typically provides advice and oversight/challenge to first line risk management (e.g. via assurance testing); and
  • Third line - Internal Audit. Operates independently of first and second lines. Some have financial crime subject matter expertise (‘SME’), but not in every case.
Financial Crime Typology

Defining framework coverage is important, to ensure clarity of what risks are in scope and which are not. The framework might cater for any kind of criminal conduct, or be tailored to criminal conduct relating to money or to financial services or markets, covering typologies such as:

  1. Bribery or corruption.
  2. Fraud or dishonesty.
  3. Financial sanctions or embargoes.
  4. Misconduct in, or misuse of information relating to, a financial market.
  5. Money laundering or handling the proceeds of crime.
  6. The financing of terrorism.

Some firms might also include Information Security, Data Protection, or other risk areas in framework coverage. If such areas are not in scope, the wider risk management framework should be clear as to where responsibility rests for other key risk areas (e.g. responsibility for responding to data loss or misuse, allegations of theft or fraud by an employee, whistleblowing alerts, etc.).

Framework Content

Example themes to consider in content development:

  • Senior management risk-appetite (see FAQ 2).
  • Policy and procedure framework (e.g. Completeness of artefacts/library content).
  • Governance and Oversight of financial crime risk (e.g. Committees, risk owners, etc.).
  • Assurance and effectiveness (e.g. Conformity testing, Internal Audit review, etc.).
  • Key risk indicators (e.g. metrics to inform risk exposure), such as the number of:
    • - High risk relationships
    • - Politically Exposed Persons (‘PEPs’)
    • - Customer relationships where customer due diligence is incomplete or overdue
    • - Relationships declines or exits for financial crime reasons
    • - Customers with high risk operations (or other risk factors)
    • - Transactions/activity with countries subject to sanctions and embargo
    • - Relationships with customers in tax havens
    • - Bearer share relationships
    • - Suspicious activity reports (received internally and reported externally)
    • - Law enforcement information requests received
    • - Other….
  • Resource (e.g. persons/teams responsible for AML, Fraud Response, Bribery prevention, etc.)
  • Systems capability (e.g. Transaction monitoring, Payments screening, etc.).
  • Training (e.g. Coverage, delivery and completion).
  • Internal reporting processes (e.g. whistle-blowing, suspicious activity, etc.)
  • Monitoring for new/emerging risk (e.g. New law/regulation, Industry forums, Regulatory notices, etc.)
Interested Parties

In addition to the board / senior management executive and the Money Laundering Reporting Officer (‘MLRO’) in an FCA regulated firm, other stakeholders / parties who may have an interest in the framework defined, include:

  • Risk owners in the business.
  • Company Secretariat.
  • Relevant governance committees.
  • Non-executive directors.
  • Internal Audit (e.g. local and/or Group).
  • Regulatory bodies (e.g. FCA, HMRC, etc.).
  • The courts (e.g. if relevant to a defence to corporate offences under the Bribery Act 2010 or the Criminal Finances Act 2017).

Implementation should be supported by appropriate resource and risk mitigation measures, reflecting senior management priorities and risk appetite.

The effectiveness of framework implementation should be included in regular reporting to senior management (and MLRO, where applicable in a regulated firm).


A Risk Appetite Statement (‘RAS’) is used to articulate an organisation (or firm’s) appetite for risk, the extent of the risk it is prepared to tolerate (i.e. often referred to as ‘residual’ or ‘tolerable’ risk) and risk it is not willing to accept or tolerate (i.e. ‘out of appetite’).

Senior Management Ownership

Guidance on Board Effectiveness’ published by the Financial Reporting Council, identifies: "the board determines the nature, and extent, of the significant risks the company is willing to embrace in the implementation of its strategy". The board is ultimately responsible for risk management and internal control, including for the determination of the nature and extent of the principal risks it is willing to take to achieve its strategic objectives and for ensuring that an appropriate culture has been embedded throughout the organisation.

As noted in the FCA’s Financial Crime Guide (FCG 2.2.2) – “Management Information (‘MI’) should provide senior management with sufficient information to understand the financial crime risks to which their firm is exposed. This will help senior management effectively manage those risks and adhere to the firm’s own risk appetite. MI should be provided regularly and ad hoc, as risk dictates.”


RAS content is used to inform tone and content of policy, procedure and operational risk standards, such as, to:

  • Inform business retention and development strategy – From a money laundering risk lens, this might influence the number or percentage of high risk customers ordinarily retained in a diverse customer portfolio, or the number of customers operating in high risk jurisdictions or which trade in higher risk activities, etc.
  • Performance and incentive management – From a bribery & corruption risk lens, this might influence the number or percentage of third party brokers, agents or intermediaries used by a firm. Or additional oversight required on commissions and other payments made to such parties, when they are unregulated or operate out of countries considered higher risk for bribery or corruption, etc.
  • Inhibiting personnel from making decisions that are not aligned to the organisational risk appetite – From a financial sanctions risk lens, this might influence the types of transaction a firm will administer or process for its clients, if a client has ‘material’ operations or ‘significant’ exposure to jurisdictions or persons which are subject of financial sanctions. Materiality and Significance are variables to be defined as part of a risk-based approach, as to what is tolerable or out of appetite.

A clearly defined RAS informs business strategy and resource allocation, as well as priority areas for embedding effective internal systems and controls. Reviewing and communicating risk tolerance thresholds (i.e. risk appetite) should be undertaken on a regular/scheduled basis, but with flexibility to enable a re-baseline in response to new/emerging significant threats (e.g. introduction of new legal or regulatory obligations, change to financial sanctions country regimes, additions or redactions made to HM Treasury’s Advisory Notices on risk posed by jurisdictions with unsatisfactory money laundering and terrorist financing controls, etc.)


The nature and extent of framework will vary between firms. This FAQ sets out some considerations, but development might also be influenced by other organisational or environmental factors not mentioned below (e.g. merger and acquisition activity, organisational change activity, a regulatory requirement, or if remedial activity is being undertaken in response to previously identified risk, etc.).

Example Influences
  • Is the framework a parent entity requirement within a Group, or does it apply to one or more operating divisions within a group, or is it applicable to a single division or entity’s financial crime arrangements?
  • Is any material outsourcing, agency or other reliance arrangement in place, including inter-group operational support or business development activity?
  • Size and complexity of operations.
  • Numbers and locations of first and second line personnel.
  • Location and infrastructure of significant operational activity.
  • Numbers and locations of financial crime resource, skill sets, etc.
  • Availability and completeness of relevant policies, procedures and standard operating principles, etc.
  • Internal governance arrangements for risk oversight.
  • Clarity of risk ownership for financial crime in the first and second lines.
  • Content and frequency of training provided to relevant personnel.
  • Internal reporting arrangements (e.g. concerns and suspicions).
  • Record keeping arrangements (e.g. customer and transaction information).
  • Core systems dependencies (e.g. used for transaction monitoring, staff screening, customers and supplier screening, payment screening, etc.).
Business Activity
  • Nature of product/service offered and risk rating.
  • Geographies in which material business activity undertaken.
  • Where and how sales and marketing activity undertaken.
  • Payment processes, controls and currencies used.
Customer Influences
  • Customer types and risk classification.
  • Geographic locations and country risk.
  • Customer nature of business or trade (e.g. casinos, money service business, charity, etc.)
  • Nature and volume of customer trades/transactional activity.
  • High risk typologies (e.g. Politically Exposed Persons, Bearer share entities, etc.).
  • Completeness and timeliness of customer due diligence / know your customer (‘KYC’) information.
  • Supply Chain Influences
  • RFP and supply chain on-boarding.
  • On-going monitoring (e.g. fees and commissions, etc.)
  • Completeness and timeliness of supplier due diligence / know your supplier (‘KYS’) information.
  • Overview

    As noted by the Financial Action Task Force (‘FATF’) - A risk-based approach (‘RBA’) means identifying, assessment, and understanding of money laundering and terrorist financing risk to which a firm is exposed, and taking appropriate mitigation measures in accordance with the level of risk.

    Regulatory Driver

    For UK regulated firms The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, as amended (‘MLR 2017’) require: “A relevant person must take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject.” MLR 2017 also requires a regulated firm must take into account:

    1. Information made available to them by the supervisory authority under regulations 17(9) and 47, and
    2. Risk factors including factors relating to:
      1. its customers;
      2. the countries or geographic areas in which it operates;
      3. its products or services;
      4. its transactions; and
      5. its delivery channels.

    The Joint Money Laundering Steering Group (‘JMLSG’) is a private sector body made up of the leading UK Trade Associations in the financial services industry. Guidance issued by the JMLSG includes (Chapter 4, Part I):

    Core Obligations
    • Identify and assess the risks of money laundering and terrorist financing to which the business is subject
    • Appropriate systems and controls must reflect the degree of risk associated with the business and its customers
    • Determine appropriate Customer Due Diligence measures on a risk-sensitive basis, depending on the type of customer, business relationship, product or transaction
    • Take into account situations and products which by their nature can present a higher risk of money laundering or terrorist financing; these specifically include correspondent banking relationships; and business relationships and occasional transactions with Politically Exposed Persons
    Actions required, to be kept under regular review
    • Carry out a formal, and regular, money laundering/terrorist financing risk assessment, including market changes, and changes in products, customers and the wider environment
    • Ensure internal policies, controls and procedures, including staff awareness, adequately reflect the risk assessment
    • Ensure customer identification and acceptance procedures reflect the risk characteristics of customers
    • Ensure arrangements for monitoring systems and controls are robust, and reflect the risk characteristics of customers

    RBA flexibility allows for a more efficient use of resources, enabling a firm to decide on the most effective way to mitigate the identified money laundering / terrorist financing risks. Firms may focus their resources and take enhanced measures in situations where the risks have been assessed to be higher, apply simplified measures where assessed risk is lower and to exempt low risk activities in appropriate instances.

    FATF RBA guidance

    The FATF publishes guidance on the risk-based approach for different sectors, examples include:

    Other AML guidance sources

    See also Question 4 in our general ‘Money Laundering - FAQ’


    It is a defence to the Corporate Offence under the Bribery Act 2010, for a commercial organisation to show that it has ‘Adequate Procedures’ in place to prevent bribery being committed by those associated with it.

    Ministry of Justice

    As noted in Ministry of Justice Guidance "commercial organisations should adopt a risk-based approach to managing bribery risks. Procedures should be proportionate to the risks faced by an organisation. No policies or procedures are capable of detecting and preventing all bribery. A risk-based approach will, however, serve to focus the effort where it is needed and will have most impact. A risk-based approach recognises that the bribery threat to organisations varies across jurisdictions, business sectors, business partners and transactions."

    Ministry of Justice Guidance incorporates six Principles:

    1. Proportionate procedures - A commercial organisation’s procedures to prevent bribery by persons associated with it are proportionate to the bribery risks it faces and to the nature, scale and complexity of the commercial organisation’s activities. They are also clear, practical, accessible, effectively implemented and enforced.
    2. Top-level commitment - The top-level management of a commercial organisation (be it a board of directors, the owners or any other equivalent body or person) are committed to preventing bribery by persons associated with it. They foster a culture within the organisation in which bribery is never acceptable
    3. Risk Assessment - The commercial organisation assesses the nature and extent of its exposure to potential external and internal risks of bribery on its behalf by persons associated with it. The assessment is periodic, informed and documented.
    4. Due diligence - The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.
    5. Communication (including training) - The commercial organisation seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the organisation through internal and external communication, including training, that is proportionate to the risks it faces.
    6. Monitoring and review - The commercial organisation monitors and reviews procedures designed to prevent bribery by persons associated with it and makes improvements where necessary.
    Financial Conduct Authority

    The Financial Conduct Authority (‘FCA’) does not enforce Bribery Act requirements, but the regulator does expect authorised firms to have considered and taken steps to address the risk of bribery and corruption within their business, including where these risks come from third parties. The FCA considers that the guidance in FCG 2.2.4 G (on risk assessment in relation to financial crime) also applies to bribery and corruption.

    Reasonable steps noted by the FCA are likely to include:

    • Senior management that stays up to date with, and fully abreast of, bribery and corruption issues
    • Adequate bribery and corruption risk assessment – see also FCG 6.2.2
    • Policies and procedures (including staff recruitment, vetting and remuneration) that cover bribery and corruption risks
    • Training and awareness programmes that ensure staff have adequate understanding of the risks associated with bribery and corruption
    • Adequate and risk-sensitive measures that address the risk that a third party acting on behalf of the firm may engage in corruption


    Firms need to have an appropriate means of monitoring payment instructions (i.e. manual or automated) to ensure that no payments are made to targets of financial sanctions (or their agents). In the regulated sector this obligation applies to all firms, and not just to banks.

    The Office of Financial Sanctions Implementation (‘OFSI’) should be notified when funds are frozen under financial sanctions legislation or where a firm has knowledge or a suspicion that financial sanctions measures have been or are being contravened, or that a customer is a listed person or entity, or a person acting on behalf of a listed person or entity.

    A firm is open to prosecution if it fails to comply with an obligation to freeze funds, not to make funds, economic resources or, in relation to suspected terrorists, financial services, available to listed persons or entities or to report knowledge or suspicion.

    Office of Financial Sanctions Implementation

    OFSI Guidance does not use the term ‘risk-based approach’. Its content does include: "OFSI’s view is that financial sanctions are generally widely publicised and that businesses, particularly those operating internationally, will have reasonable cause to suspect that sanctions might be relevant to them. Therefore, they won’t be able to avoid liability simply by failing to consider their sanctions risks."

    OFSI expects businesses engaging in activities, where financial sanctions apply, to stay up-to-date with the sanctions regimes in force, to:

    • Consider the likely exposure of their business to sanctions
    • Take appropriate steps to mitigate those risks, taking into account the specific nature of their activities

    Where risk-mitigation includes the use of an e-verification provider or screening software, which may be tailored to business needs and risk profile, OFSI identified issues to consider include:

    • Does the search facility include the OFSI consolidated list?
    • How often does the search facility or screening software update the list?
    • Does the search facility or screening software offer fuzzy matching, enabling differences in spelling, name reversal and number removal to be identified?
    Financial Conduct Authority

    The FCA is not responsible for enforcing asset freezes or sanctions, but the regulator does expect authorised firms to maintain systems and controls which mitigate the risk of financial crime, including those that enable a firm to meet financial sanctions obligations. The FCA view is that: "These may need to be different from those you might have in place for anti-money laundering purposes, because compliance with sanctions means that you also need to consider to whom payments are being made and whether funds are from an entirely legitimate source."

    The FCA expects firms to have effective, up-to-date screening systems appropriate to the nature, size and risk of its business. The regulator provides examples of good practice for sanctions systems and controls in Chapter 7 of its Financial Crime Guide, which also includes a series of self-assessment questions, such as:

    • "Does your firm have a clear view on where within the firm breaches are most likely to occur? (This may cover different business lines, sales channels, customer types, geographical locations, etc.)"
    • "How is the risk assessment kept up to date, particularly after the firm enters a new jurisdiction or introduces a new product?"

    Chapter 5 (Part I) of (JMLSG Guidance) includes:

    5.3.58 - To reduce the risk of breaching obligations under financial sanctions regimes, firms are likely to focus their resources on areas of their business that carry a greater likelihood of involvement with targets, or their agents. Within this approach, firms are likely to focus their prevention and detection procedures on direct customer relationships, and then have appropriate regard to other parties involved.

    5.3.59 - Firms need to have some means of monitoring payment instructions to ensure that proposed payments to targets or their agents are not made. The majority of payments made by many firms will, however, be to other regulated firms, rather than to individuals or entities that may be targets.

    5.3.60 - Where a firm freezes funds under financial sanctions legislation, or where it has suspicions of terrorist financing, it must make a report to OFSI, and/or to the NCA. Guidance on such reporting is given in paragraphs 6.33 to 6.42.


    Fraud can take a variety of forms including (but not limited to) internal staff fraud, external or third party fraud, false accounting, phishing, boiler room fraud, mortgage fraud, insurance fraud, carousel fraud, identity theft and advance fee fraud.

    Under The Companies Act 2006 a director or officer of a company might be in default if he or she authorises, permits, participates in, or fails to take all reasonable steps to prevent certain offences being committed, some of which relate to fraud. A company, and any director who consented to or connived in the act, may be held criminally liable for fraud under the Fraud Act 2006.

    Financial Conduct Authority

    From a regulatory context, the Financial Conduct Authority (‘FCA’) considers that good practice is demonstrated when firms engage with relevant cross-industry efforts to combat fraud. The FCA prioritises consumer protection as potential victims of fraud, above the protection of firms themselves as potential victims. The regulator’s view is: "Fraud is an area of regulation where we align our goals with those of regulated firms. We recognise that firms already have strong incentives to manage fraud risks — fraud costs them money and losses can affect firms' profitability. We promote a partnership approach to tackling fraud and aim to work with the market and to encourage collaboration."

    Key fraud issues noted by the FCA relate to:

    Systems and Controls

    In its Financial Crime Guide (FCG 4.2.1 G) the FCA opines: "All firms will wish to protect themselves and their customers from fraud. Management oversight, risk assessment and fraud data will aid this, as will tailored controls on the ground. We expect a firm to consider the full implications of the breadth of fraud risks it faces, which may have wider effects on its reputation, its customers and the markets in which it operates."

    To inform a risk based approach, FCG 4 provides indications of good and poor practice linked to fraud, along with a series of self-assessment questions posed by the FCA. They include:

    • What information do senior management receive about fraud trends? Are fraud losses accounted for clearly and separately to other losses?
    • Does the firm have a clear picture of what parts of the business are targeted by fraudsters? Which products, services and distribution channels are vulnerable?
    • How does the firm respond when reported fraud increases?
    • Does the firm’s investment in anti-fraud systems reflect fraud trends?
    Fraud, Error and Other Irregularities

    The risk based approach in a firm supervised by the FCA should take into account FCA Handbook SUP 15.3.17 R, which requires a firm to notify the FCA immediately if one of the following events arises and the event is significant:

    1. It becomes aware that an employee may have committed a fraud against one of its customers; or
    2. It becomes aware that a person, whether or not employed by it, may have committed a fraud against it; or
    3. It considers that any person, whether or not employed by it, is acting with intent to commit a fraud against it; or
    4. It identifies irregularities in its accounting or other records, whether or not there is evidence of fraud; or
    5. It suspects that one of its employees may be guilty of serious misconduct concerning his honesty or integrity and which is connected with the firm's regulated activities or ancillary activities.

    In determining whether a matter is significant, a firm should have regard to:

    • The size of any monetary loss or potential monetary loss to itself or its customers (either in terms of a single incident or group of similar or related incidents);
    • The risk of reputational loss to the firm; and
    • Whether the incident or a pattern of incidents reflects weaknesses in the firm's internal controls.


    Understanding the range and extent of financial crime risk facing a firm is key to informing proportionate and effective systems and controls in a financial crime framework. Assessment should take account of financial crime risks within jurisdictions in (or through) which it does business. Where necessary, firms can then target resource, systems and controls on the areas presenting greatest risk, or with potential for being out of risk-appetite - which could differ between jurisdictions.

    A jurisdiction might be classified high risk due to weaknesses in its anti-money laundering regime, a perception of high corruption risk, enabling tax evasion, or due to being subject of UK or international financial sanctions. If undertaking material business with a jurisdiction lacking well-established rules of law or with Politically Exposed Persons (or companies with which they are involved) in a country with high levels of corruption, such factors might trigger a need to implement enhanced due diligence on transactions or the parties linked to them.

    Country Risk Sources

    Money Laundering FAQ 8 provides more information on example country risk sources (via self-service or commercial options).


    An agent or Appointed Representative acts on behalf of a principal. The principal should ensure agent activity is aligned to the principal’s policies and procedures.

    Firms regulated by the Financial Conduct Authority (‘FCA’) cannot contract out of their regulatory responsibilities and remain responsible for systems and controls in relation to outsourced activity, whether undertaken within the UK or another jurisdiction. A Financial Crime Framework should reflect regulatory expectations.

    OECD Due Diligence Guidance for Responsible Business Conduct (‘RBC’) includes: "Due diligence is appropriate to an enterprise’s circumstances – The nature and extent of due diligence can be affected by factors such as the size of the enterprise, the context of its operations, its business model, its position in supply chains, and the nature of its products or services." As part of the due diligence approach (for varying risk typologies), OECD guidance suggests: "Map the enterprise’s operations, suppliers and other business relationships, including associated supply chains, relevant to the prioritised risk."

    Agents & Intermediaries of Regulated Firms

    The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (‘MLR 2017’) requires firms to take appropriate measures to ensure that relevant employees and agents are made aware of the law relating to money laundering and terrorist financing, and that they are regularly given training in how to recognise and deal with transactions and other activities or situations which may be related to money laundering or terrorist financing.

    UK good practice, per Guidance issued by the Joint Money Laundering Steering Group (‘JMLSG’), includes:

    • If an intermediary is an agent or appointed representative of a regulated firm (i.e. the product or service provider), the intermediary is an extension of the regulated firm (e.g. in the case of customer due diligence (‘CDD’)), the product/service provider is responsible for specifying what should be obtained, and for ensuring that records of the appropriate verification evidence taken in respect of the customer are retained).
    • When the intermediary is acting as agent of the customer and located in a higher risk jurisdiction, or in a country listed as having material deficiencies, the risk-based approach should be aimed at ensuring that the business does not proceed unless the identity of the underlying customers have been verified to the product/service provider’s satisfaction (i.e. consistent with UK CDD requirements).
    • Where a UK financial institution has overseas branches, subsidiary undertakings or associates, where control can be exercised over business carried on outside the United Kingdom, the firm must put in place a group AML/CTF strategy.

    A Financial Crime Framework should take account of: (i) agent / appointed representative arrangements; (ii) material outsourced service providers; and (ii) potential for conflict between UK AML/CTF requirements and those which operate in a location where agents are located, or where outsourced activity is provided.

    Associated Persons

    Agents and intermediaries are likely to be considered ‘Associated Persons’ covered by the Bribery Act 2010, which provides that a commercial organisation is liable if a person ‘associated’ with it bribes another person intending to obtain or retain business or a business advantage for the organisation. The level of risk facing an organisation will vary as between the type and nature of the persons associated with it:

    • The Bribery Act provides a defence to the corporate offence, which is likely to include consideration of the adequacy of procedures in place to prevent bribery on the part of associated persons. They should be designed to mitigate identified risks as well as to prevent deliberate unethical conduct on the part of associated persons.
    • For more on anti-bribery and corruption (including Associated Persons), see ‘Anti-Bribery & Corruption – FAQ’.

    Agents and intermediaries are also likely to be considered ‘Associated Persons’ covered by the Criminal Finances Act 2017, which provides that a company or partnership is liable if a person ‘associated’ with it criminally facilitates tax evasion, in the capacity of being an employee or an associated person, when providing services for or on behalf of the business:

    • Similar to the Bribery Act corporate defence, a business will have a defence if it can prove that it had put in place reasonable prevention procedures to prevent the facilitation of tax evasion taking place, or that it was not reasonable in the circumstances to expect there to be procedures in place.
    • For more on the corporate offences of failure to prevent facilitation of tax evasion (including Associated Persons), see ‘Tax Evasion – FAQ’.

    A Financial Crime Framework should take account of Associated Person risk, including how they provide (or could be perceived to be providing) services for or on behalf of the firm.

    Regulatory Considerations

    The FCA Handbook (SYSC 13.9.3) clearly states: "A firm should not assume that because a service provider is either a regulated firm or an intra-group entity an outsourcing arrangement with that provider will, in itself, necessarily imply a reduction in operational risk." Regulated firms using outsourcing and third party providers must take reasonable care to organise and control their affairs responsibly and effectively, with adequate risk management systems (see also Principle 3 and SYSC 1.2.1 in the FCA Handbook).

    Identifying and assessing supply chain risk is important, including activity or business channels involving (or where reliance is placed on) another party or an affiliated group company/enterprise. UK good practice, per Guidance issued by the Joint Money Laundering Steering Group (‘JMLSG’), includes:

    • Where a UK financial institution has overseas branches, subsidiary undertakings or associates, where elements of its UK business have been outsourced to offshore locations, the firm must put in place a group AML/CTF strategy.
    • In all instances of outsourcing it is the delegating firm that bears the ultimate responsibility for the duties undertaken in its name. This will include the requirement to ensure that the provider of the outsourced services has in place satisfactory AML/CTF systems, controls and procedures, and that those policies and procedures are kept up to date to reflect changes in UK requirements.

    The FCA expects firms it supervises to be operationally resilient by having a comprehensive understanding and mapping of the people, processes, technology, facilities and information necessary to deliver each of a supervised firm’s important business services. This includes people and other dependencies such as third parties. A supervised firm should therefore assess the risks and controls in place to ensure it is operationally resilient.

    Other Considerations

    As noted in an ICC Commission paper on ‘Corporate Responsibility and Anti-corruption’: "The risks associated with contracting a third party to perform services on the company’s behalf remain further down the supply chain. This means that a company can be held liable for the actions of a subcontractor a third party has contracted, who is found to have been involved in corrupt activity. If a third party is going to subcontract services to be provided under the contract, due diligence needs to be conducted on the subcontractor. The extent of due diligence will depend on the size of both the third party and subcontractor. "

    A firm’s nexus with a supplier subject of a significant ‘red-flag’, could lead to:

    1. Being perceived to have a nexus with criminal activity – whether directly or indirectly.
    2. Supply disruption – if investigation or prosecution impacts supplier operations.
    3. Reputation risk – leading to stakeholder concern or loss of market confidence.
    4. Diversion of senior management time – due to protracted involvement in responding to law enforcement or regulatory enquiries.
    5. Prosecution or regulatory action – if investigation determines your procedures and controls were found to be inadequate.
    Red Flags

    A ’red flag’ is information identified from fact, intelligence, event, or a set of circumstances which might indicate potential for illegal or unethical business conduct. Example red flags include where an agent, supplier, or a member of its Board or senior management team, is:

    • Named in negative news, linked to allegations of bribery, corruption or other criminal activity.
    • Identified on a watchlist linked to financial sanctions.
    • Subject of adverse regulatory news or enforcement activity
    • Reported to have governance failings or a nexus to criminal activity.
    • Linked to countries with weak anti-money laundering arrangements, a high risk of corruption, major human rights violations or terrorist activity.

    Other examples include:

    • Suppliers lacking typical business premises or expected levels of resource/employees.
    • Unusual purchase volumes from particular suppliers and/or unusual levels of credit notes, adjustments or reversals.
    • Vaguely worded contracts lacking clarity about the nature of services (to be) provided or by whom.
    • Operating in a higher risk jurisdiction under the guise of a legal entity, where beneficial ownership/control lacks transparency.
    • Commissions or front-ended fees paid to win business or facilitate business arrangements or transactions.
    • Unexplained payments continuing to suppliers, agents or contractors after their 'contractual' period, or when services have ended.

    A Financial Crime Framework should incorporate ‘red flag’ assessment on agents, intermediaries and suppliers, via an appropriate level of informed due diligence.

    Target Outcome

    Supply chain contagion risk should be assessed, particularly if a material supplier is associated with money laundering, fraud, breaching anti-bribery laws or financial sanctions – including laws with extraterritorial effect (e.g. US Foreign Corrupt Practices Act, OFAC sanctions, etc.).


    Framework design varies between firms. These FAQ suggest themes to consider, in order to demonstrate how risk is appropriately assessed and the structure in place, or a Target Operating Model proposed, informs consistency of approach to managing financial crime risk. Also see:

    1. FAQ 1 above (section titled ‘Framework Content’).
    2. FAQ 10 in ‘Money Laundering FAQ’.
    3. FAQ 10 in ‘Financial Sanctions FAQ’.
    FCA Regulated Firms

    In addition to ensuring appropriate documentation of risk management policies and risk profile in relation to money laundering, including documentation of application of those policies (see SYSC 3.2.20 R to SYSC 3.2.22 G), a firm’s Financial Crime Framework includes information on how:

    • Senior management risk appetite is defined, maintained and communicated;
    • Internal governance ensures senior management awareness and understanding of financial crime risk;
    • Real financial crime risk is assessed and with what frequency;
    • Assessed risk is reflected in policy and procedure – with protocols for the escalation or reporting of concerns and suspicions;
    • Risk is addressed in internal controls – including risk tolerance, staff roles & responsibilities for the application (or oversight) of financial crime controls;
    • Compliance monitoring is deployed to ensure oversight of financial crime risk and response;
    • Law enforcement is engaged – including reporting Suspicious Activity and responding to regulator/law enforcement information requests;
    • Assurance is obtained on effectiveness of application of financial crime policies and procedures;
    • New and emerging risks are dealt with; and
    • Staff are provided with financial crime training/awareness, including the reporting of a concern or suspicion to a designated person / function.
    All Organisations

    Non-FCA regulated firms might mirror some or all FCA-type requirements in their internal systems and controls. Nevertheless, all organisations might also consider the relevance or suitability of:

    • If covered by The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 – Appointing a “nominated officer”, to receive disclosures made under Part 3 (terrorist property) of the Terrorism Act 2000 or Part 7 (money laundering) of the Proceeds of Crime Act 2002.
    • Ensuring internal mechanisms are in place for staff to report suspected money laundering or terrorist financing, or to whistle-blow (e.g. on insider dealing, fraud, bribery and corruption risk).
    • The provision of regular Management Information to senior management, to inform understanding and awareness of the financial crime risks to which their firm is exposed, including reporting prepared by the MLRO, or equivalent (where appointed).
    • How financial crime risk is assessed in, for example, products and services offered, jurisdictions of operation, customer types, transaction complexity and volume, supply chain and distribution channels.
    • Adopting a risk-based approach by targeting resource towards areas assessed to present the greatest risk.
    • Maintaining up-to-date policies and procedures, and ensuring their understanding by relevant staff, also being readily accessible and effectively implemented.
    • Employing staff with requisite skill, knowledge and expertise to carry out their role effectively; and ensuring on-going competence (e.g. regular updates or training).
    • Ensuring when new product, new business practice (including new delivery mechanism) or new technology is adopted, appropriate measures are taken in preparation for, and during, the adoption of such product, practice or technology, to assess and if necessary mitigate any money laundering or terrorist financing risk a new product, practice or technology may cause.
    • Monitoring implementation and conformity with policies and procedures, to appraise senior management (via routine MI or exception based escalation) of compliance or to alert on gaps identified in content or application.

    The target outcome is a framework which if implemented effectively, should reflect both assessed risk of and senior management’s agreed ‘organisational’ response to financial crime. Framework implementation and application should be monitored, with its on-going relevance and sustainability reviewed on a periodic basis (e.g. annually or as defined in senior management risk-appetite). A firm’s Financial Crime Framework must remain relevant to the assessed risk facing the organisation and the breadth of its operations.

    For more on our Financial Crime Services - See Financial Crime Services