May not cover factors relevant to a particular situation or circumstance.
Frequently Asked Questions
Click Questions to see example responses, some of which include embedded links to reference sources.
A procedure is a set of actions setting out the official or accepted way of doing something; and usually includes sufficient detail on what should (or must) be done in one or more elements of an end-to-end workflow process.
Example drivers for having clearly defined standards and documented procedures to address financial crime risk at an operational level, the detail of which reflect legal and regulatory expectations, include:
Bribery & Corruption
Under Section 9 of the Bribery Act 2010, the Secretary of State published Guidance about procedures commercial organisations can put in place to prevent persons associated with them from bribing.
Built around six principles, the guidance helps commercial organisations to understand the types of procedure they can put in place to prevent bribery. Guidance includes "procedures should be proportionate to the risks faced by an organisation. No policies or procedures are capable of detecting and preventing all bribery. A risk-based approach will, however, serve to focus the effort where it is needed and will have most impact."
The Bribery Act 2010 provides a defence is available to a commercial organisation, where it can prove that despite a particular case of bribery, the organisation nevertheless had adequate procedures in place to prevent persons associated with it from bribing.
It would be for a court to determine whether an organisation had adequate procedures in place to prevent bribery in the context of a particular prosecution. However, the onus would remain on an organisation which sought to rely on the defence, to prove that it had adequate procedures in place to prevent bribery.
In March 2016 the Office of Financial Sanctions Implementation (‘OFSI’) was established, with a remit to help ensure that financial sanctions are properly understood, implemented and enforced in the United Kingdom.
OFSI Guidance does not use the term ‘risk-based approach’ - "OFSI’s view is that financial sanctions are generally widely publicised and that businesses, particularly those operating internationally, will have reasonable cause to suspect that sanctions might be relevant to them. Therefore, they won’t be able to avoid liability simply by failing to consider their sanctions risks."
OFSI expects businesses to take appropriate steps to mitigate risk, taking into account the specific nature of their activities. OFSI guidance also points to the FCA’s Financial Crime Guide (‘FCG’) for firms, which illustrates examples of good practice for designing systems to mitigate sanctions risks.
Chapter 7 of Part 1 of the FCG refers to examples of good and poor practice in FCTR 8.3.3 which, inter-alia include: "Documented policies and procedures in place, which clearly set out a firm’s approach to complying with its legal and regulatory requirements in this area."
Fraud can be an irritant in some organisations and might be considered an unwanted cost of doing business. However, repetitive fraud at the irritant level or more serious fraud committed as a one-off incident or at an organised crime level, should be acknowledged and responded to with appropriate and timely action.
Fraud risk management requires governance oversight and appropriate tone-from-the-top culture. Anti-fraud arrangements might incorporate anti-fraud policy, fraud reporting arrangements and fraud response plans, with training for relevant staff on their content. Variously, these will set out senior management expectations for fraud risk, key responsibilities for fraud prevention, detection and response.
Firms supervised by the Financial Conduct Authority (‘FCA’) should consider the full implications of the breadth of fraud risks they face, which may have wider effects on reputation, customers and the markets in which they operate. The regulator expects firms to be responsive to fraud risk in systems and controls. The FCA Handbook (SUP 15.3.17) requires a firm must notify the FCA immediately if certain fraud related events are encountered.
Whilst monetary value is one aspect of fraud, the regulator is often interested in: (i) consumer protection; and (ii) the adequacy of a firm’s internal arrangements for fraud response, including the content of relevant procedure and guidance which a regulated firm’s staff have relied upon when a notifiable event has occurred.
Insider dealing is a criminal offence under section 52 of the Criminal Justice Act 1993. Sections 89-91 of the Financial Services Act 2012 set out a range of behaviours which amount to criminal offences, which are together referred to in the FCA Financial Crime Guide as Market Manipulation.
There are also civil offences of insider dealing, unlawful disclosure of inside information and market manipulation set out in the Market Abuse Regulation - collectively referred to as Market Abuse
To commit insider dealing or certain forms of market manipulation, a perpetrator typically engages, or works within, a firm which accesses the relevant financial markets on their behalf.
The FCA Handbook (FCG 8.1.6) includes: "It is critical that firms that offer access to relevant financial markets have adequate policies and procedures to counter the risk that the firm might be used to further financial crime, in accordance with SYSC 6.1.1R."
The FCA, when considering whether a breach of its rules on systems and controls against money laundering has occurred, will have regard to whether a firm has followed relevant provisions in the guidance for the United Kingdom financial sector issued by the Joint Money Laundering Steering Group (SYSC 6.3.5 G).
Joint Money Laundering Steering Group (‘JMLSG’) guidance emphasises the responsibility of senior management to manage a firm’s money laundering and terrorist financing risks, and how this should be carried out on a risk-based approach. It sets out a standard approach to identification and verification of customers, separating out basic identity from other customer due diligence measures, as well as providing guidance on monitoring customer activity.
JMLSG guidance is available in a number of parts. The main text in Part I contains generic guidance that applies across the UK financial sector. Part II provides guidance for a number of specific industry sectors, supplementing the generic guidance contained in Part I. Part III provides additional guidance on a number of specific areas of activity.
Other regulators acknowledge JMLSG content, for example, HMRC guidance includes "… some of the sections in Part 1 of the guidance may be particularly relevant to money service businesses. They contain detailed coverage of how to do due diligence checks on different types of customers, report suspicious activity and do staff training and record keeping."
The Criminal Finances Act 2017 includes the Corporate offence of failure to prevent the facilitation of tax evasion, applicable to a body corporate or partnership (i.e. ‘relevant body’). However, if a relevant body can demonstrate it has ‘reasonable procedures’ in place to identify and mitigate tax evasion facilitation risk, it could have a defence to the risk of prosecution.
Relevant bodies should take account of HMRC Guidance on tackling tax evasion. One of its six founding principles include: ‘Proportionality of risk-based prevention procedures’ (i.e. risk-based and proportionate to the risk the relevant body faces of persons associated with it committing tax evasion facilitation offences).
The guidance acknowledges some relevant bodies face more significant risk and need more extensive procedures than, say, others which face more limited risks - "Procedures to prevent the criminal facilitation of tax evasion by a person associated with the relevant body may be independent, standalone procedures; but so long as they properly address the risk of facilitating tax evasion they may form part of a wider package of procedures, for example internal Anti-Money Laundering, Bribery Act or fraud prevention procedures."
The description of the purpose of HMRC guidance, includes: "The guidance therefore needs to be used to inform the creation of bespoke prevention procedures designed to address a relevant body’s particular circumstances and the risks arising from them. " A clear marker that some form of documented evidence would be required in order to contribute towards a defence of ‘reasonable procedures’.
Procedures describe activity required to complete particular process-oriented tasks (i.e. what to do). But, procedures are not the only source, or evidence of a firm’s cultural approach to managing financial crime risk. Other example sources include:
Code of Conduct - Good practice guidelines and policy statements outlining an organisations’ norms and expected behaviours, indicating:
Behavioural expectations of employees (e.g. standards of professionalism, acting with honesty and integrity, treating colleagues, customers and suppliers with respect, etc.).
Conduct which would fall short of the standard expected of employees (e.g. acting dishonestly, undeclared conflicts of interest, offering or accepting bribes, etc.).
Risk-Appetite Statements – Clear statements setting out the amount and type of risk an organisation is willing to take in order to meet its strategic objectives. For example:
No appetite to conduct business in certain countries (to reduce financial sanctions risk or manage country risk exposure for credit or other reasons).
Limiting the volume of unique high-risk customers to a maximum of [10%] of the total customer population.
Other appetite statements – often reflecting response to higher-impact risk identified through an organisation’s formal risk-assessment process.
Financial Crime Policies - Governance documents setting out the Board (or equivalent senior management team’s) governance expectations. Amongst a broader policy library, core financial crime policies are likely to cover the following risks:
Bribery & Corruption.
Financial Sanctions & Embargoes.
Tax Evasion Facilitation.
Service Level Agreements (‘SLA’s) - Their content might apply to inter-departmental activity within the same organisation (e.g. transaction monitoring alert review), inter-group arrangements when an affiliate provides operational support (e.g. a centralised KYC or customer due diligence unit), or outsourcing arrangements entered into with external suppliers of services (e.g. product or customer administration linked to a legacy customer portfolio). In addition to taking account of regulatory influence (e.g. per FCA Handbook SYSC 13.9 (Outsourcing)) SLA content could cover:
legal names of the service provider and customer(s) as parties to the SLA;
statement(s) of objectives and expected deliverables;
defined list(s) of services outsourced and covered by the agreement;
defined responsibilities of the service provider and customer;
details of standards applicable to service delivery, or reference to a specific document incorporating such standards (e.g. the customer’s due diligence standards, transaction screening standards, etc., to be adopted by the service provider.);
a right for the SLA customer to initiate an audit/assurance of SLA service delivery and compliance;
other performance standards expected of the service provider (e.g. quality controls, provision of management information, breach reporting, etc.);
SLA review date; and
a remedial mechanism, compensation arrangements and/or exit clauses applicable to any material delivery shortfall or failure in outsourced operational activity.
Other - Depending on an organisation’s type, industry and size, some may also publish information on the organisation’s cultural approach, or compliance with broader industry or international standards, some of these having a financial crime relevance. Examples of what may be available include:
Annual Reports - Reporting prepared by larger organisations on an annual or other basis, might include reference to what the organisation (or group) has encountered, or initiatives it is progressing in response to financial crime related risk - particularly entities listed on a regulated stock exchange.
Wolfsberg - Correspondent Banking Due Diligence Questionnaire (‘CBDDQ’), completed by Correspondent Banking entities.
Corporate Social Responsibility (‘CSR’) - Statements or policies with financial crime aspects, such as where European Union: Directive 2014/95/EU applies. This requires large companies to disclose relevant non-financial information to provide investors and other stakeholders with a more complete picture of their development, performance and position and of the impact of their activity. Coverage, inter-alia, includes anti-bribery and corruption and environmental matters.
Anti-Slavery - Section 54 (Transparency in Supply Chains) of the Modern Slavery Act 2015 requires certain commercial organisations to publish an annual statement, setting out the steps they take to prevent modern slavery in their business and their supply chains. Such organisations comprise:
a ‘body corporate’ or a partnership, wherever incorporated or formed;
carries on a business, or part of a business, in the UK;
supplies goods or services; and
has an annual turnover of £36 million or more.
ISO 37001 accreditation – Anti-bribery management systems standard designed to help an organisation establish, implement and maintain an appropriate anti-bribery compliance program.
Generally, a minimum requirement or standard is a benchmark used to establish or define the lowest acceptable level of quality or achievement which, in normal circumstances, would be considered acceptable in a particular setting.
A risk-appetite might be set out in a high level policy statement, such as, "The Board of [the Bank] expects staff to take all necessary steps to ensure that [the Bank] does not facilitate money laundering or terrorist financing"; or "The Board of [the Bank] requires customer due diligence to include consideration of negative news sources and for media research to be completed in all high risk cases" .
To be appropriate a minimum standard should be clearly understandable, as to what is actually required and when, and also applicable to the issue at hand. A misunderstanding or lack in clarity as to what is ‘actually’ required of whom and by when will, not unsurprisingly, lead to difference of interpretation and inconsistency of understanding.
Clarity of requirement
The Board’s desire to ensure the Bank does not facilitate money laundering or terrorist financing is understandable. But, vagueness or uncertainty about the activity required to be undertaken, is not helpful to staff who must implement the policy requirement. For example:
What are all of the ‘necessary steps’ (i.e. actions to take) in order to ensure (i.e. reduce risk of) the Bank facilitating money laundering or terrorist financing?
What activity is required to mitigate money laundering risk and is it the same, or something else for terrorist financing risk?
What activity is required to complete appropriate customer due diligence and is it the same for all customer types?
What tools/process should be adopted to ensure consistency of approach to negative news assessment, and which source(s) are permissible (e.g. long established and reputable news media) or impermissible (e.g. anonymous news blogs, gossip columns, etc.)?
How is a high risk case identifiable (i.e. what criteria is used to segment a customer population into high, medium and low risk)?
Is media research also required in all high risk transactions, or are ‘cases’ restricted to customer risk levels?
Setting the baseline
If a high level policy requirement is not supplemented by a process or procedure document setting out the underlying detail of what should actually be done (in support of a policy requirement), staff working on customer or transaction due diligence, will likely apply a different and inconsistent approach to each case.
Minimum Standards incorporated into documented procedures, are useful to:
Inform staff on the operational standards to be applied in the first line of defence.
Set a benchmark against which 4-eyes oversight can be applied, to ensure appropriate and consistent application of activity within a firm’s internal control framework.
Provide evidence of a firm’s framework of adequate or reasonable procedures, in the event of a law enforcement investigation, such as, linked to alleged bribery or corruption, or a failure to prevent the facilitation of tax evasion.
Reduce risk of an FCA regulated firm being subject to enforcement action for breaching:
Principle 3 (i.e. if a firm or other person failed to take reasonable care to organise and control its affairs responsibly or effectively).
SYSC 6.1.1 R (i.e. A firm must establish, implement and maintain adequate policies and procedures sufficient to ensure compliance of the firm including its managers, employees and appointed representatives (or where applicable, tied agents) with its obligations under the regulatory system and for countering the risk that the firm might be used to further financial crime).
SYSC 6.3 Financial crime (i.e. A firm must ensure the policies and procedures established under SYSC 6.1.1 R include systems and controls that: (1) enable it to identify, assess, monitor and manage money laundering risk; and (2) are comprehensive and proportionate to the nature, scale and complexity of its activities).
Standard Operating Procedures (‘SOPs’) provide documented step-by-step instructions to help employees carry out a single, or a series of operational activities. Procedure content should be designed to:
drive efficiency, quality and consistency of output;
reduce error or inconsistency of approach; and
minimise the risk of exposure to legal or regulatory risk.
Legal and regulatory considerations
Everyone has a personal legal responsibility not to commit, aid or abet the commission of a criminal offence. But, when employed they also have an important role to play in mitigating financial crime risk in the organisation they work for, whether in relation to:
Bribery – A criminal offence also applies to a commercial organisation which fails to maintain adequate procedures to prevent bribery. These should include procedures proportionate to the risks facing an organisation.
Financial Sanctions - All individuals within or undertaking activity in UK territory must comply with EU and UK financial sanctions. Without appropriate procedure the risk of making an incorrect assessment of a customer relationship or transaction is increased.
Fraud – Poor practice includes: (a) Senior management who appear unaware of fraud incidents and trends; and (b) Staff who lack awareness of what constitutes fraudulent behaviour. The FCA expects firms to be responsive to fraud risk. Its Handbook (SUP 15.3.17) requires firms must notify the FCA immediately if certain events (including Fraud) arise and the event is significant.
Market Manipulation – The FCA expects regulated firms’ policies, procedures and risk framework to be tailored and appropriate to the nature of their business (e.g. client type(s), product type(s), means of order transmission and execution, risks posed by employees, etc.).
Money Laundering – A key requirement for a regulated firm is implementing a framework of policy, procedure, systems and controls to address money laundering and terrorist financing risk.
Tax evasion - A criminal offence also applies to Companies and Partnerships which fail to maintain reasonable procedures to prevent the facilitation of tax evasion.
The contribution employees make to risk identification or risk mitigation depends on the job they do, their work-related responsibilities and whether they are in the first, second or third lines of defence. Employees benefit from receiving training on procedural requirements linked to their respective roles, as well as any functional or managerial responsibilities they have for ensuring oversight of the application of operational procedure. Example roles and remit include:
the front line (e.g. dealing with customers or transactions on a daily basis);
business development roles (e.g. identifying opportunity to sell their organisation’s services to existing or prospective customers);
middle and back-office functions in support of front line staff (e.g. customer and transactional due diligence, payments processing, loans administration and other support activities);
transaction monitoring teams (e.g. responding to alerts generated by customer and payments screening, or rules-based anti-money laundering systems);
compliance monitoring, including trade surveillance for market manipulation and insider dealing;
managing customer complaints;
responding to whistle-blowing alerts, allegations of staff impropriety, or other concerns;
dealing with suspicious activity reports (internal reporting and external notifications) and law enforcement enquiries;
internal committees and other fora (e.g. responsible for customer or transaction review on a Client Acceptance Committee, Credit Committee, Reputation Risk Committee, etc.); and
personnel appointed to Senior Management Functions (‘SMF’) or covered by the Certification Regime applicable to certain staff in FCA regulated firms (i.e. which also carry regulatory accountability linked to their personal responsibilities, including the MLRO (SMF17)).
Employees roles typically operate under a common suite of business-wide policies and risk-appetite statements, which essentially provide a high-level orientation as to how business is expected to be done.
Procedure content and relevance
To make an effective contribution to risk-mitigation, employees need guidance and lower level detail on their employer’s expectation of them in their individual roles’. This may comprise a blend of:
to highlight the types of financial crime risk they can help identify, reduce or prevent in their daily work; and
identify who to contact if an issue arises, whether for guidance or as part of the firm’s internal reporting mechanism (e.g. for fraud, money laundering, etc.)
Documented procedure(s) which are:
risk-based and relevant to real risk(s) facing the business;
for operational use, as approved by the firm’s Board or senior management team;
directly relevant to their job / functional activity;
inclusive of sufficient detail to enable a clear understanding of activity required in order to be compliant with senior management policy and risk-appetite;
periodically reviewed to ensure on-going relevance to assessed risk; and
subject to regular quality control testing as to how effectively they are applied in a business-as-usual context.
Timely feedback to employees and also reporting to senior management, on the assessed levels of conformity with procedural requirements.
Instances may arise when a ‘business-as-usual’ or standard requirement cannot be implemented and where, for operational reasons, an exception or variance to a standard might be permissible, on a case-by-case basis. No variance should be approved if this would result in breach of a legal or regulatory obligation.
Set out below is an illustrative approach to defining permitted variance types. A pre-requisite is to ensure any form of variance which is at odds with the firm’s internal control framework:
Is not ‘waved-through’, but is subject to appropriate challenge and oversight (i.e. a variance should not be used as an easy option to avoid conforming with a usual control requirement); and
Does not expose the firm to operating out of senior management approved risk-appetite (e.g. entering into a prohibited relationship or transaction, or facilitating a high risk activity or transaction without appropriate risk mitigation in place).
Exception to Policy - An approval granted by the Policy Owner (or via appropriate governance oversight) to a permissible deviation or exemption from a Policy standard (e.g. linked to a particular IT system, or a specific customer relationship or transaction).
Dispensation – A short term permitted variance from Procedure for a defined period of validity (e.g. extending time allowed as part of Customer Due Diligence to verify the identity of a customer, a person acting on behalf of the customer or a customer’s beneficial owner, such as - Where this is necessary not to interrupt the normal conduct of business and there is little risk of money laundering and terrorist financing).
Waiver - A limited variance from Policy (or Procedure) in specified circumstances, but not a full Policy exemption (e.g. Policy might require that all transactions are screened in System ‘X’. Where a business area or operating division does not currently have an instance of System ‘X’, but implementation of System ‘X’ is planned, a Waiver might be issued to transactions processed by the relevant business area or division).
Importance of review
In all scenarios the use of a pre-approved variance should be subject to scheduled or periodic review. No exception, dispensation or waiver should continue without appropriate check and challenge of its on-going relevance and validity.
Where non-conformity with a standard is identified in business-as-usual (‘BAU’) activity, which is not covered by a pre-approved exception or variance, this might amount to a breach of a Legal or Regulatory requirement, and/or a Policy breach.
The following are suggested criteria for consideration when logging details of a confirmed breach:
Breach classification (e.g. Legal, Regulatory, Group Policy, UK Policy, etc.)
Business area where breach occurred
Other business areas impacted by breach
Customer impact (where applicable)
Relevant Policy (name and version date)
Description of policy requirement
Description of policy breach
How breach identified
Cause / impact (if known), or action being taken to assess
Date breach event occurred
Date breach event identified
Date breach notified to [Policy owner, Governance forum, etc.]
Applicable reporting requirements (e.g. with FCA Handbook reference)
Summary of remedial action planned/initiated (or cross reference to information on):
Actions (including long and short term solutions to prevent re-occurrence or similar breach events)
Target resolution dates
How remedial action plan is monitored
Summary of dependencies impacting Remedial Action Plan delivery
Confirm if policy waiver requested/obtained to cover existing compliance gap
Variables to consider
If a breach or suspected breach is identified, the extent of information recorded may vary depending on the type and severity of breach, the nature of recording system used by a firm (e.g. Operational Risk Register (‘ORR’)), the availability of data/information and/or whether an external reporting requirement might apply.
When first encountered it is often unclear whether a breach is a one-off or systemic issue. Consequently, a robust approach should be adopted from the outset to establish the facts, assess breach impact and consequence, and to prepare an informed response or remediation plan. If later a regulator or other third party requests (or requires) information about breach response arrangements, a methodical and effective process can be demonstrated by the firm.
The illustrative approach which follows might be useful for a firm which lacks a Breach Reporting & Escalation process. The model lists sequential elements. However, sequencing and related staging activity will be firm-specific, influenced by the seriousness of a breach issue and the firm’s internal governance framework.
Breach process consideration
Record detail of the breach identified
Identify Business area where breach (or potential breach) is first identified/encountered
Identify Business area responsible for breach (or potential breach) if not where breach identified
Identify type of breach (e.g. Legal, Regulatory and/or Policy)
Preserve relevant records
Identify customer detriment from breach, if any
Identify adverse impact on customer or transaction risk, if any
Prevent financial loss (where applicable)
Assess reporting / liaison need (e.g. Head of Compliance, MLRO, Operational Risk, etc.)
Early liaison / Notification
Consult with Head of Compliance, Head of Operational Risk and/or MLRO (SMF17 / CF11)
Where necessary – liaise with Legal and/or HR (i.e. on legal and staff related matters respectively)
Obtain advice/guidance on next steps (and who does what)
Consider confidentiality / security requirements
Consider potential for customer impact or if a reporting requirement applies (or might apply)
Maintain ‘Decisions Log’ for audit trail purposes
Consultation outcomes inform assessment activity to be undertaken
Collate and store relevant information/data
Consult with subject matter specialists (where necessary)
Investigate how, where and why a breach occurred
Size the problem / quantify impact
Maintain action log and update ‘Decisions Log’, as necessary
Quality assure work to reach an informed factual basis for escalation and reporting
Consult Head of Compliance, Head of Operational Risk and/or MLRO (SMF17 / CF11) on assessment findings
Define ‘Cause of breach’ for recording in Operational Risk Register
Consult with risk owner(s) on findings, to agree action(s) required
Identify recommendations and remediation options
Identify action owners
Prepare ‘Action Plan’ with objectives, actions, deliverables and timelines (highlight key dependencies, if any (e.g. Group affiliates, Outsource providers, Legal advisors, etc.))
Maintain action log and update ‘Decisions Log’, as necessary
Head of Compliance – FCA Rule Breaches and compliance requirements, etc.
Head of Operational Risk – Risk reporting & governance, etc.
MLRO - AML / other financial crime risk relevant to MLRO responsibilities’
The Board or other senior management forum (including the director or senior manager with overall responsibility for the firm’s anti-money laundering systems and controls (per FCA Handbook SYSC 6.3.8))
Ensure minutes of governance meetings (e.g. Board, Committee or other forum) cover consideration, review and management’s response to reported breaches
Where a reporting notification is required to a regulator (e.g. Financial Conduct Authority) or other external body (e.g. Stock Exchange, Serious Fraud Office, etc.)
FCA Reporting, Rule Breaches and compliance requirements, etc.:
SUP 15.3.7 - Principle 11 (i.e. A firm must deal with its regulators in an open and cooperative way, and must disclose to the FCA appropriately anything relating to the firm of which that regulator would reasonably expect notice)
SUP 15.3.17 - General notification requirement relating to fraud, error and other irregularities (i.e. A firm must notify the FCA immediately if certain events arise and the event is significant)
Manage regulatory risk
Many single incidence policy breaches are wholly internal and likely to be remediated without requiring action beyond a firm’s perimeter (e.g. raising staff awareness or clarifying an internal control requirement which may have been misunderstood). Some breaches however, including systemic policy breaches may also have legal or regulatory ramifications, indicative of a systems or controls risk. These could result in a firm having to notify a regulator or other party, about particular risk issues or events.
Compliance or Quality Assurance (‘QA’) checks effectiveness of deployment of internal process and procedure (e.g. Is a consistent approach applied to the identification of and response to risk, via the adoption of senior management agreed protocols and standards).
A procedure describes the nature of activity required to complete a particular process-oriented task (i.e. what to do). Process and procedure used in a particular firm or organisation will never be a complete mirror image of the same process undertaken in a competitor, or peer-group enterprise. An end-to-end process for completing customer due diligence in Firm ‘A’ might have 8 key stages to complete the detail of work required to create a new customer file, whereas in Firm ‘B’ it could involve 12 or more key stages.
Some of the variables
The approach taken in each firm to achieve the same objective (e.g. to complete new customer on-boarding) is influenced by, for example:
The relevant firm’s risk-appetite and policy framework;
Whether a firm is solely UK regulated, or also subject to requirements of a Group headquartered in another jurisdiction, adding additional regulatory requirements into UK internal process and procedure;
The location(s) where operational activity is undertaken;
The legal and regulatory requirements applicable to the customer type, and whether Firm A or B has a greater depth of experience in the industry sector in which the customer operates;
The nature and extent of due diligence required to be completed - for example:
The customer type (e.g. Natural person, Unlisted private company, Listed company, Trust, Fund Manager, etc.);
Establishing beneficial ownership of legal entity customers (e.g. 10%, 25% or other threshold applicable to customer risk types);
Directors of legal entity customers (e.g. whether identity is verified for a minimum of 2, 3 or more directors and if so, which ones are prioritised);
Negative news screening (e.g. on customer, beneficial owners and directors, or others per the firm’s risk-based approach);
The customers nature of business (e.g. if operating in a higher risk industry/sector, etc.)
The customer’s place of businesss (e.g. wholly UK domestic, or are higher risk jurisdictions involved, etc.)
To assess whether your internal procedures are at the right standard, some of the options include:
Control Framework Gap Analysis – The objective would be to formally review and document the enterprise-wide control framework in place and perform a gap analysis against a recognized framework (e.g. FCA Handbook requirements for Financial Crime).
Document the status-quo - Produce a list of the existing internal controls applicable to managing financial crime risk in particular (or selected) processes and/or the locations where operational activity is performed. The objective would be to formally document the relevant controls and the completeness of their coverage, in order to identify options and recommendations for improvement, where necessary.
Gap Analysis of Procedure Content - Perform a gap analysis by comparing procedural controls to reference sources, such as JMLSG Guidance, the FCA Financial Crime Guide, etc., to:
identify any known regulatory issues or poor practice;
identify potential gaps in content; and
where necessary - provide the Board with observations and recommendations for their consideration, in order to maintain a risk-based approach to financial crime.
Conducting a review
The above could be completed internally where a firm has the required subject matter capability and resource bandwidth to complete the task. Or, support could be commissioned from specialist external advisors, to support review design, delivery or gap-analysis assessment.
The impact of getting it wrong can be varied, depending on what went wrong, how, why and the findings of any root cause analysis.
Law enforcement and regulatory risk
The Serious Fraud Office (‘SFO’) and the Courts may have a view on suitability and effectiveness of an organisation’s internal procedures, particularly when a Bribery prosecution is brought under the Bribery Act 2010 against the organisation (i.e. for failing to maintain adequate procedures); similar interest would be placed on procedures where a Corporate offence was initiated by the SFO or HMRC linked to a failure to prevent the facilitation of tax evasion.
Regulators may form view as to whether an issue (or series of issues) identified, constitutes a regulatory failing and whether this should lead to regulatory intervention or enforcement action in egregious cases.
Other stake-holders may also have a view on a firm or its management team, where a material financial crime issue arises – They include:
The financial markets (if publicly traded)
Accreditation bodies (if an issue / failing is relevant to a previously awarded certification/accreditation)
Customers and suppliers
The media – Reputation risk can be more damaging in some cases, than a financial loss incurred or value placed at risk.
If an organisation is found to lack appropriate documented procedures, then, in addition to the risk of regulatory or law enforcement intervention, the organisation may also need to introduce (or up-date its existing) internal procedures, to be followed by a substantial and costly exercise to remediate its legacy customer portfolio, or other population where the organisation is deemed to have previously failed.
A remediation and look-back exercise is costly and time-consuming. This avenue should be avoided where possible, by implementing and maintaining appropriate internal procedures at an early stage of any new business activity, or when a change occurs to existing internal arrangements, to ensure risk is identified and responded to in accordance with senior management risk-appetite and policy framework.