Click Questions to see example responses, some of which include embedded links to reference sources.
A clearly documented Financial Crime Framework provides transparency and structure against which to develop and maintain consistency of approach to managing financial crime risk. The framework should apply to the firm, business or group for which it has been developed. The underlying level of detail required will be informed by the nature and complexity of the organisation to which it relates, as well as being driven by the needs/expectations of senior management (e.g. risk appetite).
Framework’s typically cover activity undertaken in the first and second lines of defence, but might also incorporate third line activity or review themes - Where:
Defining framework coverage is important, to ensure clarity of what risks are in scope and which are not. The framework might cater for any kind of criminal conduct, or be tailored to criminal conduct relating to money or to financial services or markets, covering typologies such as:
Some firms might also include Information Security, Data Protection, or other risk areas in framework coverage. If such areas are not in scope, the wider risk management framework should be clear as to where responsibility rests for other key risk areas (e.g. responsibility for responding to data loss or misuse, allegations of theft or fraud by an employee, whistleblowing alerts, etc.).
Example themes to consider in content development:
In addition to the board / senior management executive and the Money Laundering Reporting Officer (‘MLRO’) in an FCA regulated firm, other stakeholders / parties who may have an interest in the framework defined, include:
Implementation should be supported by appropriate resource and risk mitigation measures, reflecting senior management priorities and risk appetite.
The effectiveness of framework implementation should be included in regular reporting to senior management (and MLRO, where applicable in a regulated firm).
A Risk Appetite Statement (‘RAS’) is used to articulate an organisation (or firm’s) appetite for risk, the extent of the risk it is prepared to tolerate (i.e. often referred to as ‘residual’ or ‘tolerable’ risk) and risk it is not willing to accept or tolerate (i.e. ‘out of appetite’).
‘Guidance on Board Effectiveness’ published by the Financial Reporting Council, identifies: "the board determines the nature, and extent, of the significant risks the company is willing to embrace in the implementation of its strategy". The board is ultimately responsible for risk management and internal control, including for the determination of the nature and extent of the principal risks it is willing to take to achieve its strategic objectives and for ensuring that an appropriate culture has been embedded throughout the organisation.
As noted in the FCA’s Financial Crime Guide (FCG 2.2.2) – “Management Information (‘MI’) should provide senior management with sufficient information to understand the financial crime risks to which their firm is exposed. This will help senior management effectively manage those risks and adhere to the firm’s own risk appetite. MI should be provided regularly and ad hoc, as risk dictates.”
RAS content is used to inform tone and content of policy, procedure and operational risk standards, such as, to:
A clearly defined RAS informs business strategy and resource allocation, as well as priority areas for embedding effective internal systems and controls. Reviewing and communicating risk tolerance thresholds (i.e. risk appetite) should be undertaken on a regular/scheduled basis, but with flexibility to enable a re-baseline in response to new/emerging significant threats (e.g. introduction of new legal or regulatory obligations, change to financial sanctions country regimes, additions or redactions made to HM Treasury’s Advisory Notices on risk posed by jurisdictions with unsatisfactory money laundering and terrorist financing controls, etc.)
The nature and extent of framework will vary between firms. This FAQ sets out some considerations, but development might also be influenced by other organisational or environmental factors not mentioned below (e.g. merger and acquisition activity, organisational change activity, a regulatory requirement, or if remedial activity is being undertaken in response to previously identified risk, etc.).
As noted by the Financial Action Task Force (‘FATF’) - A risk-based approach (‘RBA’) means identifying, assessment, and understanding of money laundering and terrorist financing risk to which a firm is exposed, and taking appropriate mitigation measures in accordance with the level of risk.
For UK regulated firms The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, as amended (‘MLR 2017’) require: “A relevant person must take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject.” MLR 2017 also requires a regulated firm must take into account:
The Joint Money Laundering Steering Group (‘JMLSG’) is a private sector body made up of the leading UK Trade Associations in the financial services industry. Guidance issued by the JMLSG includes (Chapter 4, Part I):
RBA flexibility allows for a more efficient use of resources, enabling a firm to decide on the most effective way to mitigate the identified money laundering / terrorist financing risks. Firms may focus their resources and take enhanced measures in situations where the risks have been assessed to be higher, apply simplified measures where assessed risk is lower and to exempt low risk activities in appropriate instances.
The FATF publishes guidance on the risk-based approach for different sectors, examples include:
See also Question 4 in our general ‘Money Laundering - FAQ’
It is a defence to the Corporate Offence under the Bribery Act 2010, for a commercial organisation to show that it has ‘Adequate Procedures’ in place to prevent bribery being committed by those associated with it.
As noted in Ministry of Justice Guidance "commercial organisations should adopt a risk-based approach to managing bribery risks. Procedures should be proportionate to the risks faced by an organisation. No policies or procedures are capable of detecting and preventing all bribery. A risk-based approach will, however, serve to focus the effort where it is needed and will have most impact. A risk-based approach recognises that the bribery threat to organisations varies across jurisdictions, business sectors, business partners and transactions."
Ministry of Justice Guidance incorporates six Principles:
The Financial Conduct Authority (‘FCA’) does not enforce Bribery Act requirements, but the regulator does expect authorised firms to have considered and taken steps to address the risk of bribery and corruption within their business, including where these risks come from third parties. The FCA considers that the guidance in FCG 2.2.4 G (on risk assessment in relation to financial crime) also applies to bribery and corruption.
Reasonable steps noted by the FCA are likely to include:
Firms need to have an appropriate means of monitoring payment instructions (i.e. manual or automated) to ensure that no payments are made to targets of financial sanctions (or their agents). In the regulated sector this obligation applies to all firms, and not just to banks.
The Office of Financial Sanctions Implementation (‘OFSI’) should be notified when funds are frozen under financial sanctions legislation or where a firm has knowledge or a suspicion that financial sanctions measures have been or are being contravened, or that a customer is a listed person or entity, or a person acting on behalf of a listed person or entity.
A firm is open to prosecution if it fails to comply with an obligation to freeze funds, not to make funds, economic resources or, in relation to suspected terrorists, financial services, available to listed persons or entities or to report knowledge or suspicion.
OFSI Guidance does not use the term ‘risk-based approach’. Its content does include: "OFSI’s view is that financial sanctions are generally widely publicised and that businesses, particularly those operating internationally, will have reasonable cause to suspect that sanctions might be relevant to them. Therefore, they won’t be able to avoid liability simply by failing to consider their sanctions risks."
OFSI expects businesses engaging in activities, where financial sanctions apply, to stay up-to-date with the sanctions regimes in force, to:
Where risk-mitigation includes the use of an e-verification provider or screening software, which may be tailored to business needs and risk profile, OFSI identified issues to consider include:
The FCA is not responsible for enforcing asset freezes or sanctions, but the regulator does expect authorised firms to maintain systems and controls which mitigate the risk of financial crime, including those that enable a firm to meet financial sanctions obligations. The FCA view is that: "These may need to be different from those you might have in place for anti-money laundering purposes, because compliance with sanctions means that you also need to consider to whom payments are being made and whether funds are from an entirely legitimate source."
The FCA expects firms to have effective, up-to-date screening systems appropriate to the nature, size and risk of its business. The regulator provides examples of good practice for sanctions systems and controls in Chapter 7 of its Financial Crime Guide, which also includes a series of self-assessment questions, such as:
Chapter 5 (Part I) of (JMLSG Guidance) includes:
5.3.58 - To reduce the risk of breaching obligations under financial sanctions regimes, firms are likely to focus their resources on areas of their business that carry a greater likelihood of involvement with targets, or their agents. Within this approach, firms are likely to focus their prevention and detection procedures on direct customer relationships, and then have appropriate regard to other parties involved.
5.3.59 - Firms need to have some means of monitoring payment instructions to ensure that proposed payments to targets or their agents are not made. The majority of payments made by many firms will, however, be to other regulated firms, rather than to individuals or entities that may be targets.
5.3.60 - Where a firm freezes funds under financial sanctions legislation, or where it has suspicions of terrorist financing, it must make a report to OFSI, and/or to the NCA. Guidance on such reporting is given in paragraphs 6.33 to 6.42.
Fraud can take a variety of forms including (but not limited to) internal staff fraud, external or third party fraud, false accounting, phishing, boiler room fraud, mortgage fraud, insurance fraud, carousel fraud, identity theft and advance fee fraud.
Under The Companies Act 2006 a director or officer of a company might be in default if he or she authorises, permits, participates in, or fails to take all reasonable steps to prevent certain offences being committed, some of which relate to fraud. A company, and any director who consented to or connived in the act, may be held criminally liable for fraud under the Fraud Act 2006.
From a regulatory context, the Financial Conduct Authority (‘FCA’) considers that good practice is demonstrated when firms engage with relevant cross-industry efforts to combat fraud. The FCA prioritises consumer protection as potential victims of fraud, above the protection of firms themselves as potential victims. The regulator’s view is: "Fraud is an area of regulation where we align our goals with those of regulated firms. We recognise that firms already have strong incentives to manage fraud risks — fraud costs them money and losses can affect firms' profitability. We promote a partnership approach to tackling fraud and aim to work with the market and to encourage collaboration."
Key fraud issues noted by the FCA relate to:
In its Financial Crime Guide (FCG 4.2.1 G) the FCA opines: "All firms will wish to protect themselves and their customers from fraud. Management oversight, risk assessment and fraud data will aid this, as will tailored controls on the ground. We expect a firm to consider the full implications of the breadth of fraud risks it faces, which may have wider effects on its reputation, its customers and the markets in which it operates."
To inform a risk based approach, FCG 4 provides indications of good and poor practice linked to fraud, along with a series of self-assessment questions posed by the FCA. They include:
The risk based approach in a firm supervised by the FCA should take into account FCA Handbook SUP 15.3.17 R, which requires a firm to notify the FCA immediately if one of the following events arises and the event is significant:
In determining whether a matter is significant, a firm should have regard to:
Understanding the range and extent of financial crime risk facing a firm is key to informing proportionate and effective systems and controls in a financial crime framework. Assessment should take account of financial crime risks within jurisdictions in (or through) which it does business. Where necessary, firms can then target resource, systems and controls on the areas presenting greatest risk, or with potential for being out of risk-appetite - which could differ between jurisdictions.
A jurisdiction might be classified high risk due to weaknesses in its anti-money laundering regime, a perception of high corruption risk, enabling tax evasion, or due to being subject of UK or international financial sanctions. If undertaking material business with a jurisdiction lacking well-established rules of law or with Politically Exposed Persons (or companies with which they are involved) in a country with high levels of corruption, such factors might trigger a need to implement enhanced due diligence on transactions or the parties linked to them.
Money Laundering FAQ 8 provides more information on example country risk sources (via self-service or commercial options).
An agent or Appointed Representative acts on behalf of a principal. The principal should ensure agent activity is aligned to the principal’s policies and procedures.
Firms regulated by the Financial Conduct Authority (‘FCA’) cannot contract out of their regulatory responsibilities and remain responsible for systems and controls in relation to outsourced activity, whether undertaken within the UK or another jurisdiction. A Financial Crime Framework should reflect regulatory expectations.
OECD Due Diligence Guidance for Responsible Business Conduct (‘RBC’) includes: "Due diligence is appropriate to an enterprise’s circumstances – The nature and extent of due diligence can be affected by factors such as the size of the enterprise, the context of its operations, its business model, its position in supply chains, and the nature of its products or services." As part of the due diligence approach (for varying risk typologies), OECD guidance suggests: "Map the enterprise’s operations, suppliers and other business relationships, including associated supply chains, relevant to the prioritised risk."
The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (‘MLR 2017’) requires firms to take appropriate measures to ensure that relevant employees and agents are made aware of the law relating to money laundering and terrorist financing, and that they are regularly given training in how to recognise and deal with transactions and other activities or situations which may be related to money laundering or terrorist financing.
UK good practice, per Guidance issued by the Joint Money Laundering Steering Group (‘JMLSG’), includes:
A Financial Crime Framework should take account of: (i) agent / appointed representative arrangements; (ii) material outsourced service providers; and (ii) potential for conflict between UK AML/CTF requirements and those which operate in a location where agents are located, or where outsourced activity is provided.
Agents and intermediaries are likely to be considered ‘Associated Persons’ covered by the Bribery Act 2010, which provides that a commercial organisation is liable if a person ‘associated’ with it bribes another person intending to obtain or retain business or a business advantage for the organisation. The level of risk facing an organisation will vary as between the type and nature of the persons associated with it:
Agents and intermediaries are also likely to be considered ‘Associated Persons’ covered by the Criminal Finances Act 2017, which provides that a company or partnership is liable if a person ‘associated’ with it criminally facilitates tax evasion, in the capacity of being an employee or an associated person, when providing services for or on behalf of the business:
A Financial Crime Framework should take account of Associated Person risk, including how they provide (or could be perceived to be providing) services for or on behalf of the firm.
The FCA Handbook (SYSC 13.9.3) clearly states: "A firm should not assume that because a service provider is either a regulated firm or an intra-group entity an outsourcing arrangement with that provider will, in itself, necessarily imply a reduction in operational risk." Regulated firms using outsourcing and third party providers must take reasonable care to organise and control their affairs responsibly and effectively, with adequate risk management systems (see also Principle 3 and SYSC 1.2.1 in the FCA Handbook).
Identifying and assessing supply chain risk is important, including activity or business channels involving (or where reliance is placed on) another party or an affiliated group company/enterprise. UK good practice, per Guidance issued by the Joint Money Laundering Steering Group (‘JMLSG’), includes:
The FCA expects firms it supervises to be operationally resilient by having a comprehensive understanding and mapping of the people, processes, technology, facilities and information necessary to deliver each of a supervised firm’s important business services. This includes people and other dependencies such as third parties. A supervised firm should therefore assess the risks and controls in place to ensure it is operationally resilient.
As noted in an ICC Commission paper on ‘Corporate Responsibility and Anti-corruption’: "The risks associated with contracting a third party to perform services on the company’s behalf remain further down the supply chain. This means that a company can be held liable for the actions of a subcontractor a third party has contracted, who is found to have been involved in corrupt activity. If a third party is going to subcontract services to be provided under the contract, due diligence needs to be conducted on the subcontractor. The extent of due diligence will depend on the size of both the third party and subcontractor. "
A firm’s nexus with a supplier subject of a significant ‘red-flag’, could lead to:
A ’red flag’ is information identified from fact, intelligence, event, or a set of circumstances which might indicate potential for illegal or unethical business conduct. Example red flags include where an agent, supplier, or a member of its Board or senior management team, is:
Other examples include:
A Financial Crime Framework should incorporate ‘red flag’ assessment on agents, intermediaries and suppliers, via an appropriate level of informed due diligence.
Supply chain contagion risk should be assessed, particularly if a material supplier is associated with money laundering, fraud, breaching anti-bribery laws or financial sanctions – including laws with extraterritorial effect (e.g. US Foreign Corrupt Practices Act, OFAC sanctions, etc.).
Framework design varies between firms. These FAQ suggest themes to consider, in order to demonstrate how risk is appropriately assessed and the structure in place, or a Target Operating Model proposed, informs consistency of approach to managing financial crime risk. Also see:
In addition to ensuring appropriate documentation of risk management policies and risk profile in relation to money laundering, including documentation of application of those policies (see SYSC 3.2.20 R to SYSC 3.2.22 G), a firm’s Financial Crime Framework includes information on how:
Non-FCA regulated firms might mirror some or all FCA-type requirements in their internal systems and controls. Nevertheless, all organisations might also consider the relevance or suitability of:
The target outcome is a framework which if implemented effectively, should reflect both assessed risk of and senior management’s agreed ‘organisational’ response to financial crime. Framework implementation and application should be monitored, with its on-going relevance and sustainability reviewed on a periodic basis (e.g. annually or as defined in senior management risk-appetite). A firm’s Financial Crime Framework must remain relevant to the assessed risk facing the organisation and the breadth of its operations.
For more on our Financial Crime Services - See Financial Crime Services