Click Questions to see example responses, some of which include embedded links to reference sources.
A procedure is a set of actions setting out the official or accepted way of doing something; and usually includes sufficient detail on what should (or must) be done in one or more elements of an end-to-end workflow process.
Example drivers for having clearly defined standards and documented procedures to address financial crime risk at an operational level, the detail of which reflect legal and regulatory expectations, include:
Procedures describe activity required to complete particular process-oriented tasks (i.e. what to do). But, procedures are not the only source, or evidence of a firm’s cultural approach to managing financial crime risk. Other example sources include:
Generally, a minimum requirement or standard is a benchmark used to establish or define the lowest acceptable level of quality or achievement which, in normal circumstances, would be considered acceptable in a particular setting.
A risk-appetite might be set out in a high level policy statement, such as, "The Board of [the Bank] expects staff to take all necessary steps to ensure that [the Bank] does not facilitate money laundering or terrorist financing"; or "The Board of [the Bank] requires customer due diligence to include consideration of negative news sources and for media research to be completed in all high risk cases" .
To be appropriate a minimum standard should be clearly understandable, as to what is actually required and when, and also applicable to the issue at hand. A misunderstanding or lack in clarity as to what is ‘actually’ required of whom and by when will, not unsurprisingly, lead to difference of interpretation and inconsistency of understanding.
The Board’s desire to ensure the Bank does not facilitate money laundering or terrorist financing is understandable. But, vagueness or uncertainty about the activity required to be undertaken, is not helpful to staff who must implement the policy requirement. For example:
If a high level policy requirement is not supplemented by a process or procedure document setting out the underlying detail of what should actually be done (in support of a policy requirement), staff working on customer or transaction due diligence, will likely apply a different and inconsistent approach to each case.
Minimum Standards incorporated into documented procedures, are useful to:
Standard Operating Procedures (‘SOPs’) provide documented step-by-step instructions to help employees carry out a single, or a series of operational activities. Procedure content should be designed to:
Everyone has a personal legal responsibility not to commit, aid or abet the commission of a criminal offence. But, when employed they also have an important role to play in mitigating financial crime risk in the organisation they work for, whether in relation to:
The contribution employees make to risk identification or risk mitigation depends on the job they do, their work-related responsibilities and whether they are in the first, second or third lines of defence. Employees benefit from receiving training on procedural requirements linked to their respective roles, as well as any functional or managerial responsibilities they have for ensuring oversight of the application of operational procedure. Example roles and remit include:
Employees roles typically operate under a common suite of business-wide policies and risk-appetite statements, which essentially provide a high-level orientation as to how business is expected to be done.
To make an effective contribution to risk-mitigation, employees need guidance and lower level detail on their employer’s expectation of them in their individual roles’. This may comprise a blend of:
Instances may arise when a ‘business-as-usual’ or standard requirement cannot be implemented and where, for operational reasons, an exception or variance to a standard might be permissible, on a case-by-case basis. No variance should be approved if this would result in breach of a legal or regulatory obligation.
Set out below is an illustrative approach to defining permitted variance types. A pre-requisite is to ensure any form of variance which is at odds with the firm’s internal control framework:
In all scenarios the use of a pre-approved variance should be subject to scheduled or periodic review. No exception, dispensation or waiver should continue without appropriate check and challenge of its on-going relevance and validity.
Where non-conformity with a standard is identified in business-as-usual (‘BAU’) activity, which is not covered by a pre-approved exception or variance, this might amount to a breach of a Legal or Regulatory requirement, and/or a Policy breach.
The following are suggested criteria for consideration when logging details of a confirmed breach:
Confirm if policy waiver requested/obtained to cover existing compliance gap
If a breach or suspected breach is identified, the extent of information recorded may vary depending on the type and severity of breach, the nature of recording system used by a firm (e.g. Operational Risk Register (‘ORR’)), the availability of data/information and/or whether an external reporting requirement might apply.
When first encountered it is often unclear whether a breach is a one-off or systemic issue. Consequently, a robust approach should be adopted from the outset to establish the facts, assess breach impact and consequence, and to prepare an informed response or remediation plan. If later a regulator or other third party requests (or requires) information about breach response arrangements, a methodical and effective process can be demonstrated by the firm.
The illustrative approach which follows might be useful for a firm which lacks a Breach Reporting & Escalation process. The model lists sequential elements. However, sequencing and related staging activity will be firm-specific, influenced by the seriousness of a breach issue and the firm’s internal governance framework.
Stage | Breach process consideration |
Initial Identification |
|
Early liaison / Notification |
|
Assessment |
|
Validate findings |
|
Internal Escalation |
|
External Reporting |
|
Many single incidence policy breaches are wholly internal and likely to be remediated without requiring action beyond a firm’s perimeter (e.g. raising staff awareness or clarifying an internal control requirement which may have been misunderstood). Some breaches however, including systemic policy breaches may also have legal or regulatory ramifications, indicative of a systems or controls risk. These could result in a firm having to notify a regulator or other party, about particular risk issues or events.
Compliance or Quality Assurance (‘QA’) checks effectiveness of deployment of internal process and procedure (e.g. Is a consistent approach applied to the identification of and response to risk, via the adoption of senior management agreed protocols and standards).
See also ‘Quality Assurance - FAQ’.
A procedure describes the nature of activity required to complete a particular process-oriented task (i.e. what to do). Process and procedure used in a particular firm or organisation will never be a complete mirror image of the same process undertaken in a competitor, or peer-group enterprise. An end-to-end process for completing customer due diligence in Firm ‘A’ might have 8 key stages to complete the detail of work required to create a new customer file, whereas in Firm ‘B’ it could involve 12 or more key stages.
The approach taken in each firm to achieve the same objective (e.g. to complete new customer on-boarding) is influenced by, for example:
To assess whether your internal procedures are at the right standard, some of the options include:
The above could be completed internally where a firm has the required subject matter capability and resource bandwidth to complete the task. Or, support could be commissioned from specialist external advisors, to support review design, delivery or gap-analysis assessment.
The impact of getting it wrong can be varied, depending on what went wrong, how, why and the findings of any root cause analysis.
The Serious Fraud Office (‘SFO’) and the Courts may have a view on suitability and effectiveness of an organisation’s internal procedures, particularly when a Bribery prosecution is brought under the Bribery Act 2010 against the organisation (i.e. for failing to maintain adequate procedures); similar interest would be placed on procedures where a Corporate offence was initiated by the SFO or HMRC linked to a failure to prevent the facilitation of tax evasion.
Regulators may form view as to whether an issue (or series of issues) identified, constitutes a regulatory failing and whether this should lead to regulatory intervention or enforcement action in egregious cases.
See also Q6 in ‘Money Laundering - FAQ’.
Other stake-holders may also have a view on a firm or its management team, where a material financial crime issue arises – They include:
If an organisation is found to lack appropriate documented procedures, then, in addition to the risk of regulatory or law enforcement intervention, the organisation may also need to introduce (or up-date its existing) internal procedures, to be followed by a substantial and costly exercise to remediate its legacy customer portfolio, or other population where the organisation is deemed to have previously failed.
A remediation and look-back exercise is costly and time-consuming. This avenue should be avoided where possible, by implementing and maintaining appropriate internal procedures at an early stage of any new business activity, or when a change occurs to existing internal arrangements, to ensure risk is identified and responded to in accordance with senior management risk-appetite and policy framework.
For more on our Financial Crime Advisory services - See Advisory Services