As part of our commitment to supporting senior compliance leaders, FINTRAIL is publishing a series of articles based on interviews with current and former MLROs, designed to provide actionable advice to those holding the money laundering reporting function (SMF17).

We recently published a paper on best practice for managing regulatory enforcement actions, based on our own research and interviews with MLROs at UK payment firms. Our advice in that paper presupposes that a firm is genuinely committed to meeting its anti-financial crime obligations, wants to ensure its programme is fit for purpose, and has an MLRO who is up to the task. However, this may not always be the case, and the pressures for the MLRO will clearly be compounded if the firm is not interested in supporting them. Several interviewees stressed how important it is for MLROs to assess a company’s compliance culture before joining, to avoid falling subject to an avoidable enforcement action, or being in a toxic situation where they are left to shoulder the blame without adequate support.

Advice for would-be MLROs

For any regulated function with significant responsibilities, it’s vitally important applicants don’t get swept up in the recruitment process and take on a role without giving it serious thought.  Prospective MLROs should make the most of the recruitment process to ask the firm - and themselves - the right questions to ensure they don’t regret their decision in the long run.

Recognise this role isn’t for everyone. Be honest with yourself about whether you are ready for the responsibilities that come with being an MLRO.  There is clearly the risk of personal liability if things go badly wrong, but this can seem like an unlikely worst-case scenario.  What is more likely is that you will be personally responsible for facing off to the regulator to justify your firm’s programme and answer for any failings.  Are you happy to take on this responsibility?  Do you have the experience and knowledge to run a programme that successfully identifies and mitigates risk?  Especially if this role is a promotion or a significant step up that seems too good to be true, consider if it is and if you’re happy with what you’re taking on!

Interviews should be a two-way process.  Use them to ask meaningful questions about the firm’s compliance programme, resources, tone from the top, and compliance culture. If it doesn’t feel right, be prepared to walk away.

Do your due diligence. Where possible, look into the firm’s compliance history. Has there been significant turnover of MLROs and key compliance staff?  If so, ask about it during the interview process - there may be a reasonable explanation unrelated to the firm’s compliance performance or culture, but try to bottom this out.  Is senior management forthcoming and open about any previous regulatory engagement, or significant audit findings or self-identified gaps?  Do you know any former employees of the company or is there anyone in your network who can give you an off-the-record view?  As before, if you’re not comfortable with the answers you’re getting (or not getting) consider if you should walk away.

Advice for hiring firms

On the flip side, firms can avoid falling foul of the regulator by ensuring they have a suitable individual in the key position of MLRO, and that they offer them the support they need. A good MLRO can ensure the firm doesn’t come under regulatory pressure in the first place, or can self-identify and report issues to the regulator to ensure a less hostile process. In a worst case scenario, they can capably and successfully deal with difficult enforcement actions. 

Invest time and effort in finding the right person.  It can be very easy for early-stage companies in particular to underestimate the importance of the role of MLRO.  When resources and headcount are stretched, it’s tempting to focus on the business and engineering side, and try to secure relatively cheap compliance resources.  However, this is likely to be a false economy if you end up in hot water and have to devote significant time and money to remedial action and regulatory engagement later on.

Broaden your horizons.  Many firms, especially scale-up companies, look internally when they need to fill the role of MLRO, promoting someone from within the compliance team. This person will obviously have a good understanding of the business - and may be so happy with the promotion they’re not too demanding in terms of salary, or involvement in governance and senior level decision-making.  However, unless they worked very closely with the former incumbent and you have a clear plan for their personal development, they are unlikely to have the full range of skills and knowledge required of an MLRO.  Consider carefully whether such an individual will be the right fit, and how you will support and upskill them if you do fill the role internally.

Be honest. If you already know that your programme has issues, or you’re already subject to regulatory action, you need an MLRO who is comfortable managing this situation.  You may not be able to share specific details, but the more you can tell prospective MLROs about what they’re taking on, the more sure you can be that they're up for the challenge.  A small number of people even thrive on such situations - they essentially act as troubleshooters, repeatedly coming into firms in difficulty to overhaul the programme and get it back on an even keel.  Most candidates who have previously undergone a regulatory action will fall into two camps - either their experience will give them unrivaled insights and make them the ideal candidate, or they will be burnt out from their previous experience and have no desire to go through it again!  Don’t make assumptions - make sure they know what they would be taking on and find out how they would feel about it before offering them the role.

Staying on top of new regulations and emerging financial crime risks is a constant challenge for financial institutions. Firms must grapple with a steady stream of new sanctions designations, evolving fraud typologies and terrorist financing threats, and even entirely new regulatory regimes (looking at you, AMLA). This fast-evolving landscape is one reason why most regulators insist on ongoing training on financial crime.

One of the most common pitfalls for financial institutions is relying on an off-the-shelf training programme. There are a plethora of ready-made AML training courses available which tick the box for meeting basic regulatory requirements; however their generic nature means they barely scratch the surface of what you really need to understand. In order to turn training into a key tool in reducing your risk exposure and an opportunity to develop, firms are advised to consider more bespoke options.

FINTRAIL designs and delivers bespoke training sessions tailored to individual firms’ risk profiles, products, geographies and sectors.  Read on to find out why this matters…

The regulatory imperative

In many jurisdictions, financial service firms are obliged to provide financial crime training to their staff. In the UK, for instance, the Money Laundering Regulations set out specific requirements that regulated firms must meet:

• Firms must ensure relevant employees and agents are made aware of the law relating to money laundering and terrorist financing, and the requirements of data protection. 

• Employees must regularly be given training in how to recognise and deal with transactions and other activities or situations which may be related to money laundering, terrorist financing or proliferation financing.   

• Each firm must take account of the nature of its business, its size, and the nature and extent of the financial crime risks it faces.

Let’s take a look at what the regulations actually mean in terms of who needs what financial crime training and when.

One size does not fit all

The UK regulations define ‘relevant employees’ as anyone capable of contributing to the prevention or detection of money laundering, terrorist financing and proliferation finance or the identification or mitigation of the risk of these activities.  In other words, it’s not just the compliance team but also senior management and all sales teams, account managers and other customer-facing roles.  These different roles clearly face varying levels of exposure to financial crime risks and have different levels of existing knowledge.  As a result, financial crime training must be tailored to the specific needs of different employees’ roles and responsibilities.

• Company-wide training: Every employee, from administrative staff to the CEO, should have a basic understanding of financial crime risks. Company-wide training often covers general topics like definitions of anti-money laundering (AML), fraud prevention, and raising concerns. This level of training helps establish a culture of vigilance and ethical behavior across the organisation.

• Compliance teams: Those working in compliance or risk departments require in-depth training to ensure they can manage and monitor the firm’s anti-financial crime policies effectively. They need specialised knowledge of the firm’s obligations under applicable regulations, how to assess levels of risk exposure, how to fulfill KYC requirements and monitor customers’ behaviours, and how to report suspicious activity.

• Senior management and board members: Senior management has ultimate responsibility for the firm’s financial crime compliance framework. It is therefore critical they understand their role in governance and risk oversight, and are well-versed in how to design, implement, and review an effective financial crime risk management program. This level of training should focus on high-level decision-making, understanding risk assessments, and maintaining accountability.

By customising training based on an individual’s role, regulated firms can ensure that everyone has the knowledge and tools they need to meet regulatory obligations and protect the company from financial crime.

It’s not all about AML training

Good financial crime training covers a wide range of topics. The UK Money Laundering Regulations specifically call out money laundering, terrorist financing and proliferation finance, but it’s also vital to understand sanctions evasion, fraud, and bribery and corruption risks amongst others. The depth of coverage required for each topic will vary depending on the firm’s operations, size, and risk exposure - i.e. different firms will require different training content.

Many firms are increasingly choosing to go beyond the main topic areas above, to look at specific topics of relevance to their company or where they have identified particular knowledge gaps.  At FINTRAIL, we have produced and delivered bespoke financial crime training on:

• Financial crime risks for cryptocurrency

• Tax evasion

• Terrorist financing risks for FinTechs

• Tipping off

• Financial inclusion

• Far right extremism

• Building a compliant product

Financial crime training isn’t a one-time exercise 

Finally, the UK Money Laundering Regulations make it clear that it isn’t sufficient to provide training to new employees when they join a firm. Regulations change constantly, as do the financial crime threats a business faces, and the business’ activities and risk profile.  Staff therefore benefit from regular training - both to reinforce key messages and keep information fresh in their minds, and to keep them up-to-date with new regulations and risks.  For most firms, training takes place at onboarding, on an annual basis, and whenever there are significant changes to the regulatory environment or the company’s activities - e.g. if it expands into a new market or customer vertical, or begins offering a new product. Ad-hoc training can also be scheduled in response to identified knowledge gaps or areas of weakness.  

Hopefully this close review of the regulations shows the benefits of individualised financial crime training programmes over off-the-shelf courses. Firstly, a bespoke approach ensures that the training is relevant to your company’s specific needs, operations, and risk profile. A generic programme may not address the unique challenges your firm faces, leading to knowledge gaps that could expose you to regulatory and operational risks.

Secondly, bespoke training can lead to better engagement from staff. When training is tailored to their specific role and challenges, employees are more likely to find it valuable and retain the information. In turn, this can improve their ability to detect and report suspicious activities, strengthening your firm’s defenses against financial crime.

Lastly, bespoke training programmes demonstrate to regulators that your firm is taking its financial crime prevention responsibilities seriously. By designing a training programme that reflects your firm's unique risk profile and operational environment, you show a proactive commitment to regulatory compliance and ethical business practices.

If you would like to speak to FINTRAIL to learn more about how we can help you with your training requirements, please contact us.

Examples of our financial crime training projects

FINTRAIL was engaged by Finance Latvia, the industry association representing all major banks in Latvia, to deliver a financial crime training programme to CEOs and board members of Latvian banks. The training included a focus on balancing a risk-based approach with consumer duty obligations, and avoiding unnecessary de-risking.

FINTRAIL has worked with the Centre for Financial Crime and Security at RUSI on various financial crime training engagements, including terrorist financing and AML training throughout Europe. Most recently we have developed targeted training on Russia sanctions reporting requirements and detecting sanctions evasion for financial sector audiences in the Baltics, Denmark and the Netherlands.

FINTRAIL provided board-level senior management training for a banking services provider, designed to increase senior executives’ awareness of risks while scaling the business, and how to adopt a proportionate business-focused risk appetite.   It focused on financial crime risk assessments and risks related to downstream relationships, including an overview of controls and oversight of financial partners, as well as appropriate risk decisions.

FINTRAIL created and delivered three online AML training modules to staff of a European payments firm, focusing on suspicious activity reporting, transaction monitoring, and authorised push payment fraud controls. Each training module included exercises and case study examples to ensure engagement, and was bespoke to the client’s products and use cases.  FINTRAIL was subsequently asked to develop further training to their team in Q3 of 2024.

While the first half of 2024 is still fresh in our minds, FINTRAIL has paused to reflect on our anti-financial crime (AFC) audits from H1 2024 to identify common findings and focus areas for regulated financial firms.

As always, the regulatory backdrop to these audits has continued to evolve. We have seen changes to the UK regulatory landscape with the introduction of new PEP requirements which came into force in January 2024 and the subsequent FCA consultation on its PEP guidance with updates to be released later this year. There has also been the implementation of the FCA’s 2024/2025 business plan including a commitment to reduce and prevent financial crime with a focus on consumer duty, fraud and financial inclusion. In Europe we have seen the introduction of the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) which aims to harmonise AML/CFT measures across the EU. The latter half of the year will also see some big changes with the UK Payment Systems Regulator (PSR) mandatory reimbursement requirements for victims of APP scams coming into force on 7 October 2024 and the introduction of the 6th AML Directive (AMLD) in Europe. 

Given the latest changes and pending updates, it is important for firms to stay up to date and continue to evolve and enhance their AFC frameworks. An external audit can help firms identify gaps or areas of weakness and ensure they stay on top of their regulatory requirements.

Key stats

• The majority of our critical findings related to customer and payment screening controls and anti-financial crime risk assessments.

• High-risk findings tended to relate to policies and procedures, and customer due diligence controls.

• The largest number of findings related to customer and payment screening controls.

Policies and procedures

The majority of our findings from the year so far relate to firms’ policies and procedures. In particular, we have repeatedly seen the use of generic policies and procedures that do not align to a firm’s specific product and services or its current systems and controls. For example, policies and procedures have not always been updated to reflect changes to third party systems used or new AML regulatory requirements, despite going through an annual review cycle. This mirrors the findings from the latest FCA ‘Dear CEO’ letter from March 2024 which identified a lack of detail in policies creating ambiguity around the actions staff should take to comply with their obligations under the Money Laundering Regulations. 

It is important for firms to ensure their policies and procedures are up-to-date and reflective of the controls and processes in place, particularly in instances where the documents are used for training new employees or are informing key control areas like internal SAR reporting.

Common gaps we have seen in firms' AML policies and procedures include: 

• No reference to proliferation financing

• Not reflecting the latest UK regulatory updates relating to the treatment of domestic PEPs

• No reference to Transfer of Funds regulations and the controls in place.

Governance 

In terms of governance, FINTRAIL has identified the following themes:

• Management information - In some instances firms have been unable to easily retrieve management information on their customers and key controls (e.g. number of customers, average number of transaction monitoring alerts, number of SARs, number of open customer screening alerts). It is important for firms to be able to pull this data for the purposes of reporting, tracking against the firm's risk appetite, and understanding key performance indicators (KPIs) and key risk indicators (KRIs) to help drive decisions across the firm.  

• Resourcing - We have seen many firms operating a lean AFC team structure, which is aligned to their business model, risks and stage of maturity. However, firms should consider or have in place a resource management plan which identifies the trigger points for hiring additional resources or reshuffling existing capacity. This ensures that resourcing is managed effectively as the firm scales and there is no last minute panicked hiring of resources. 

• Record keeping - FINTRAIL noted in many instances that the storage of KYC information was unorganised and inconsistent. This includes information saved in different folders which means there is no single view of customer information. Likewise, it was difficult to obtain closed screening or transaction monitoring alerts which meant there was no evidence of alert dispositioning. It is important for this information and any associated decision-making to be easily retrievable on the customer’s file in the event of a law enforcement enquiry, or regulator or auditor request.

Risk assessments

Another key focus area for the FCA this year is business-wide risk assessments (BWRA). The FCA review found that in some instances money laundering (ML), terrorist financing (TF) and proliferation financing (PF) risk assessments had not been carried out at all, and in other instances firms had failed to document the steps undertaken to identify and assess the ML/TF/PF risks. 

Similarly, at FINTRAIL we have identified these common findings relating to firms’ BWRAs:

• Firms are not documenting their risk assessment methodology comprehensively, particularly in relation to how they calculate residual risk. Often this calculation appears very subjective and excludes a quantitative element. 

• Firms are grouping and amalgamating various financial crime risks into one within their risk assessments, not taking into account the differences between the TF, ML and PF risk exposure to the business. 

• Firms lack a control library and appear to be amalgamating controls for the purpose of the risk assessment, which is not always reflective of the control effectiveness or how effectively individual controls are mitigating the inherent risk. 

• Firms are not referencing the sources they use to conduct their risk assessment, taking into account internal data and external factors such as the UK National Risk Assessment.

In relation to customer risk assessments, FINTRAIL has identified the following common themes:

• It is not always clear what specific risk factor is being considered in the risk assessment. For example, we tend to see many firms capturing ‘geography’ as a risk factor but it is unclear what specifically this relates to, i.e. residency of UBO, country of incorporation, or transactional activity. The lack of granularity could influence the overall risk rating of the customer, meaning it is not reflective of the actual risk posed. 

• Firms tend to rate each risk factor equally, which does not always best reflect the customer's actual risk. This could lead to a skewered book of customer risk or an ineffective use of the manual override function. 

Additionally, we have seen multiple occasions where a firm's country risk rating list is not up to date (i.e. not updated with the latest high-risk third countries) and therefore feeds into other control areas incorrectly, such as customer risk assessments or transaction monitoring. This means country risk is not being monitored effectively, potentially exposing firms to countries with high financial crime risk exposure.

Customer due diligence

FINTRAIL observed that most firms are implementing effective customer due diligence controls at onboarding. Across most audits, there has been clear documentation for the customer due diligence process and clear instructions for the onboarding team to implement.

One area where we see firms struggle is the KYC refresh process where there are often backlogs due to both poor customer response time and operationally cumbersome processes which divert resources away from other priority areas. There are often no clearly defined timelines built into the KYC refresh process, or clearly defined outcomes and actions taken in the event of no response from the customer. These areas are critical to build out to ensure the customer is notified with ample time to respond, there are clear ‘request for information’ protocols and schedules of correspondence, and clear timelines and actions in the event of no response from the customer. This is to ensure firms are collecting KYC information in a timely manner and that customer information is up to date. 

Another area of focus relates to firms offering downstream services to other financial institutions or payment service providers. In particular we have seen that these firms have not clearly documented their reliance, oversight or outsourcing framework to ensure the effective oversight of these inherently higher risk relationships. Additionally, for these types of relationships we have seen that firms are not factoring in their clients’ AML/CTF control frameworks in the customer risk assessment.

Suspicious activity reporting

Mainly identified through file review sessions, FINTRAIL has noted that internal SARs and investigationsdo not always clearly reference reasons for suspicions. In many instances the team could verbally articulate the reasons for suspicion, but there was little documented evidence of this within the internal SAR and investigation notes. This could affect the quality of the external SARs submitted to authorities. The quality of external reporting has been a focus area for many firms in line with Principle 3 on ‘Providing highly useful information’ of the Wolfberg Group’s Principles of Effectiveness. 

Screening

The majority of our critical findings in H1 related to firms’ screening controls, particularly ongoing customer screening. In some instances we have seen firms not conducting ongoing customer screening or being unable to demonstrate this. This is often a result of firms not understanding their third party tooling settings or being unaware that their tools have this functionality. 

Fraud 

In light of the PSR’s policy changes coming into play later this year, we have seen many firms make an effort to get their APP fraud controls into shape ahead of the October enforcement date. With that said, while firms have made appropriate updates to their fraud frameworks, there is often little evidence of documentation of these controls. Additionally, fraud risks and anti-fraud controls do not appear to be documented within firms’ risk assessments. Given the FCA’s focus on consumer duty and fraud this year, this should be a focus area for many firms. 

Compliance monitoring

We have seen from our audits this year that compliance monitoring is last on many firms’ to-do lists. While some companies have a documented compliance monitoring plan, it is rarely implemented due to resourcing, time or priority constraints. This is particularly the case for smaller firms which lack dedicated assurance resources. 

How can FINTRAIL help?

At FINTRAIL we are passionate about combating financial crime. Our unique team of experts is drawn from the industries we support and has deep hands-on experience in developing and deploying risk management controls from leadership roles with leading banks, FinTechs, and other financial institutions. 

We have extensive experience assisting financial services businesses with audits and assurance processes. We have a proven track record of identifying areas where clients can enhance their compliance and make their programmes more effective. Our approach is tailored to the unique circumstances of each client, is regulatory and technology driven, and is focused on providing excellent customer outcomes. We offer our clients pragmatic solutions to the most complex challenges and our goal is to ensure our clients can thrive, free from the negative impacts of financial crime.

If you wish to speak to our team about your requirements for an upcoming audit, please get in touch.

There is never a dull year in anti-financial crime, and 2023 was certainly no exception. From the introduction of the UK’s Economic Crime Bill, to new crypto laws including the EU’s regulation on markets in crypto-assets (MiCA), a global raft of sanctions against Russia, and legislative attempts to rein in the global fraud pandemic, there’s been plenty to keep on top of. 

It’s early days, but there seems no reason to believe 2024 will be any different.  We are already aware of several pieces of legislation due to come into effect this year, and various regulators have clearly signposted their current areas of focus via guidance notices and consultations with the industry.  So let’s read the tea leaves and see what financial institutions can expect in 2024!

FINTRAIL held a webinar on financial crime trends for 2024, and asked the audience what their main areas of focus were for the year ahead. This is how they responded at the end of the session.

Poll: What are your priorities and main areas of focus for 2024? Please select all applicable answers.

Fraud

Fraud is big global news. In the UK, for example, criminals stole over half a billion pounds in the first six months of 2023 alone¹. Traditional methods of deception are as popular as ever, and are being complemented by increasingly sophisticated cyber-attacks and intricate social engineering schemes. 

While regulators everywhere are acutely aware of the issue, the UK is leading the way in terms of a regulatory response.  In 2023, the Payment Services Regulator (PSR) undertook a multi-pronged approach to reduce authorised push payment (APP) fraud within the Faster Payments System, which is due to continue into 2024.  Here’s what to look out for: 

• New mandatory reimbursement requirements, announced in June 2023, are due to come into effect in October 2024. These will require both sending and receiving payment institutions to reimburse all victims of APP fraud in full based on a 50/50 split, with limited exceptions for fraud or gross negligence. Read more in our blog here.

• In 2024 the PSR will be publishing “league tables” of performance on APP fraud in 2023.  Last year’s report on 2022 data called out inconsistent outcomes for victims, and highlighted that certain receiving institutions took in a disproportionate volume of funds derived from APP fraud.  Expect to see more scrutiny of these areas in the 2024 report. Read more in our blog here.

• The coverage of the Confirmation of Payee scheme will be extended in October 2024, with all financial institutions that participate in Faster Payments or CHAPS required to implement the tool.

In other fraud news:

• The UK government launched its national Fraud Strategy in May 2023, which aims to reduce fraud by 10% on 2019 levels by December 2024.  The various measures announced under the strategy - such as a new national fraud squad, replacing Action Fraud with a new reporting system, cracking down on abuse of the telephone network, and engaging the tech industry - are ongoing.  Separately, the Home Affairs Committee inquiry into fraud launched in September 2023 will publish its results sometime this year.

• The FCA issued several guidance documents² on fraud in 2023, which implicitly set out what firms will be judged against in 2024.  The guidance highlighted issues with detecting and preventing money mules due to poor onboarding controls, transaction monitoring, training and governance; poor complaint handling; and poor understanding and response to customer vulnerability.

• A new corporate failure to prevent fraud was introduced in 2023 as part of the Economic Crime and Corporate Transparency Act. The offence is expected to come into force once the government has published guidelines in Spring 2024.
  

Anti-fraud measures are also being taken in other jurisdictions, albeit not at the same scale as in the UK.

• In the EU, the introduction of PSD3 revisions forecast for late 2024 will extend IBAN/name matching verification to all credit transfers, introduce an obligation for payment service providers (PSPs) to increase awareness of payment fraud among customers and staff, and establish a legal basis for PSPs to share fraud-related information in full respect of GDPR via dedicated IT platforms.  

• In the US, federal requirements to report company ownership to FinCEN’s Beneficial Ownership Information Registry went live on 1 January 2024, pursuant to the 2021 Corporate Transparency Act.  It is hoped this will increase corporate transparency and help reduce fraud.

• While there is no proposal on the horizon in the US for an accountability model or a common reimbursement scheme, the biggest US banks decided to begin refunding Zelle scam victims last year, a trend towards collective action which we could see reflected elsewhere alongside a push for greater consumer protection.

Sanctions

The various geopolitical events of 2023 played themselves out in the sanctions world, with new legislation and designations issued in relation to Russia, Hamas, Sudan, Iran and others.  Human rights violations, narcotrafficking and crypto scams were also all in the spotlight. 

• OFSI’s annual report for the financial year 2022 to 2023, published in December 2023, revealed that despite imposing “the most severe sanctions the UK has ever imposed on any major economy”³ on Russia, recording 473 suspected breaches and opening 172 investigations by April 2023, there has so far been zero enforcement for post-February 2022 sanctions breaches in relation to Russia. We predict 2024 will be a more active year for enforcement, as some of those investigations bear fruit.  

• We also predict continuing cooperation between OFSI and the FCA, with the former focusing on enforcement and the latter on ensuring effectiveness. The FCA conducted a targeted assessment of firms’ sanctions controls in 2023 and shared the good and bad practices observed⁴, which will likely form a benchmark for regulatory reviews in 2024.

• In the EU, we predict a push towards standardised enforcement across member states in 2024.  We understand states with a “less mature” track record of sanctions enforcement are being given firm instructions to up their game, as well as training and guidance to help them do so.

• In the US, we predict more of the same from OFAC in terms of the nature of sanctions regulations and enforcement, with the upcoming presidential election likely to shape the strategic priorities. 

• In December 2023, OFAC issued an Executive Order expanding the US’s ability to target financial institutions outside of Russia that facilitate transactions involving Russia’s military-industrial base.  We should see in 2024 how the US intends to use this new measure and whether it will be a significant weapon in its sanctions arsenal, and which Russia-tolerant countries are in the crosshairs.

PEPs

In 2023 the concept of Politically Exposed Persons (PEPs) entered the public consciousness in the UK like never before, with the scandal surrounding the closure of Nigel Farage’s bank account at Coutts and a subsequent review by the FCA into whether PEPs are being routinely denied access to financial services.  

Meanwhile we saw corruption scandals involving PEPs continue to emerge around the world, including two former Latin American presidents censured by the US government over allegations of corruption, a procurement scandal in the Ukrainian Ministry of Defense, ongoing revelations about the UK government’s awarding of contracts during the Covid-19 pandemic, and many more!  

Here’s what’s new for 2024:

• In the UK, new legislation came into effect on 10 January 2024 amending the Money Laundering and Terrorist Financing Regulations and mandating that the starting point for assessing the risk posed by domestic PEP clients is lower than non-domestic PEPs. Read more in FINTRAIL’s blog here.

• The FCA’s review of how financial institutions manage PEP clients, launched in September 2023, is due to be published in June 2024. It will cover how PEPs are defined, how their risk levels are assessed, whether firms are carrying out risk-based and proportionate enhanced due diligence, and how firms take decisions to reject or close PEP-related accounts.

• In similar moves in the Netherlands, the Dutch Banking Association and the Dutch Central Bank have announced that Dutch banks are also now expected to focus on individual customers’ actual risk profile and to take less invasive due diligence measures for lower-risk PEP clients.

How we can help

At FINTRAIL we help banks, payments institutions, e-money institutions, virtual asset service providers (VASPs) and other regulated institutions around the world to reduce their exposure to financial crime and ensure regulatory compliance.  We do this through the provision of the highest quality consultancy services, based on deep sectoral experience and pragmatism.

We offer support through:

• Consultancy projects and advisory services

• Transformation services

• Audits and assurance

• Remediations and regulatory enforcement support

• Outsourcing and flexible resources

• Training services

If you would like to discuss any of the topics raised above, or need help enhancing your anti-financial crime programme or ensuring your team is ready for the year ahead, please do get in touch.

¹. UK Finance Half Year Fraud Update 2023
² FCA’s "Proceeds of fraud - Detecting and preventing money mules" and “Anti-fraud controls and complaint handling”
³ OFSI Annual Review 2022-2023, Strengthening Our Sanctions
⁴ FCA, Sanctions Systems and Controls

In December 2023, the UK government announced changes to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLRs”) in relation to the treatment of Politically Exposed Persons (“PEPs”) entrusted with prominent public functions in the UK (“domestic PEPs”).  These changes came into force on 10 January 2024.

The update means that under the MLRs, when dealing with domestic PEPs (or a family member or known close associate of a domestic PEP) the starting point for banks and other regulated firms is to treat them as inherently lower risk than non-domestic PEPs. This means that firms must apply a lower level of enhanced due diligence (“EDD”) to domestic PEPs compared to non-domestic PEPs, unless other higher risk factors are present (i.e. risk factors other than the PEP status itself).

With this move, the government is encouraging regulated firms to take a more proportionate and risk-based approach to the treatment of domestic PEPs.  This follows reports that a number of individuals that hold a prominent public position have encountered difficulties accessing financing services.  

The new requirements largely mirror guidance previously published by the Financial Crime Authority (FCA) on the treatment of PEPs, but now enter into law for the first time.  In parallel with this regulatory change, the FCA is undertaking a review of the treatment of domestic PEPs, with a report due to be issued in June.

However, the proposed changes have not been universally well received by industry experts, and have caused elements of confusion around how they should be implemented.  For example, practitioners have questioned when enhanced measures will be applied and how higher risk factors will be identified, given the initial level of EDD is now low (i.e. how will firms know if there are any higher risk factors if they are not carrying out robust EDD?). The regulation is not prescriptive in this regard; and as such the onus is on firms to determine what “higher risk factors” may be and how they are to be determined by lower levels of EDD. This has raised the question of whether a firm that does not perform full EDD (per the regulations) and misses something will be deemed wilfully blind or reckless? Will it run the risk of regulatory blowback or prosecution? The upcoming FCA report may provide more clarity, given the speed with which the changes have entered into law, regulated institutions must use their own judgment in the meantime.

Commentators have also expressed concerns that the UK MLRs now do not align with the Financial Action Task Force (“FATF”) recommendations, specifically Recommendations 12 and 22 which require firms to implement measures to prevent the misuse of the financial system by PEPs, and Recommendation 10, which requires firms to take additional measures beyond performing normal customer due diligence on PEP customers. 

Given the regulatory focus on this topic, FINTRAIL has designed a checklist of points to consider for PEP customers across the anti-financial crime framework.

Download the PEP Guidance Checklist

What areas does the checklist cover?

READ NEXT: Navigating New FCA PEP Guidance

As UK fraud watchers will be well aware, the UK’s Payment Systems Regulator (PSR) has embarked on a multi-pronged approach to reduce authorised push payment (APP) fraud within the Faster Payments System. As well as new mandatory reimbursement requirements due to come into effect in 2024, the PSR hopes to motivate regulated firms to improve their fraud controls by publishing performance data. This will show how much money connected to APP fraud is sent and received by each payment firm, and how firms perform when it comes to reimbursing victims.

The PSR has published the first ‘league tables’ today, showing data for 2022. The stats cover the UK’s 14 largest banking groups (‘directed firms’, which are obliged to report APP fraud data), plus nine other smaller firms that were among the top 20 highest receivers of fraud.

The performance tables will give firms that are successfully reducing APP fraud losses a competitive advantage, as they will enable customers to see how well individual banks perform in reducing fraud and how well they treat victims.

Key takeaways

1. There are inconsistent outcomes for customers reporting APP fraud. Some firms automatically reimburse victims nearly all of the time, others only make partial reimbursements, and others only consider claims in very narrow circumstances. This inconsistency should reduce with the introduction of mandatory reimbursement for all PSPs in 2024.

In terms of value reimbursed, the figures range from 91% (TSB) to 10% (Allied Irish Bank GB). In terms of volume, they range from 94% fully reimbursed plus 4% partially reimbursed (TBS), to 6% fully reimbursed plus 8% partially reimbursed (Monzo) and 12% fully reimbursed (Allied Irish Bank GB).

NB: PSRs are not currently required to reimburse victims of APP fraud. However, as of 2019, participants in the APP Contingent Reimbursement Model Voluntary Code (‘CRM Code’) have voluntarily agreed to reimburse fraud losses. To date there are nine firms signed up, representing the UK’s major banks with over 90% of the market in payment volumes. These firms would therefore be expected to have much higher reimbursement figures.
 

2. The data showing which firms receive the most money generated by APP fraud indicate a massive degree of variation, indicating fraudsters have identified which firms have weak controls and are actively exploiting them.  Newer and smaller PSPs typically have disproportionately higher rates of fraud than larger, more established firms.  The PSR notes these firms are in the much earlier stages of preventing fraud than major banks, and are not part of the voluntary CRM code. 

For non-directed PSPs (i.e. smaller firms), the rates of fraud-related funds received range from £10,355 per £1m received (Clear Junction) down to £334 (JP Morgan/Chase).  The figures were still widely discrepant but over a smaller range for directed PSPs, ranging from £696 per £1m received (Metro Bank) to just £44 (Santander).

Reasons for some firms having high rates of receiving fraud could include fewer, poor or delayed onboarding checks which would allow fraudsters to open and close accounts before being caught, or weaknesses in inbound transaction monitoring which prevent incoming fraudulent funds being identified and held.

NB: The PSR notes that some firms provide payment accounts to customers but do not manage the customer relationship themselves (e.g. banking-as-a-service providers).  The PSR states that irrespective of whether the firms manage the customer relationships themselves, they retain the regulatory responsibility and are expected to ensure their partners manage the risk of onboarding new customers, conducting identity checks, and monitoring transactions effectively.
 

3. Firms have started to address control gaps, and the PSR believes the situation may have improved over 2023 given greater levels of awareness and industry initiatives, but more still remains to be done.

Outcomes

While these figures date back to 2022, they conclusively show that there is a huge gulf in levels of exposure to APP fraud across the UK payment industry.  Many firms need to radically up their game to prevent themselves being used by fraudsters, and there is a clear imperative to do so given the incoming mandatory reimbursement requirements.  Put simply, unless the most exposed firms are able to reduce the value of fraudulent funds they receive, the resultant reimbursements could put them out of business.

The PSR has said it expects firms to start working “now” to implement the new requirements, beginning by allocating appropriate resources, moving towards adopting a stronger risk-based approach to payments, and making better decisions on when to intervene and hold or stop a payment. 

There are numerous anti-financial crime controls which play a role in reducing APP fraud exposure:

• Customer due diligence, including identity verification

• Customer risk assessments, including both customer as fraudsters (receiving funds) and victims (sending funds)

• Ongoing monitoring, including transaction and other activity monitoring

• Information sharing mechanisms and responsiveness to peer institutions and law enforcement

• Use of internal data and financial intelligence

• Robust assurance of fraud controls

• Staff training

How we can help

FINTRAIL is here to help PSPs adapt to the new requirements. Over the last five years we have worked with a range of institutions to successfully reduce their APP fraud exposure.

We offer a range of innovative, data-driven services to improve the effectiveness of your fraud controls and enable better identification of fraud risks. For firms considering where to start, we can conduct a thorough, data-driven risk assessment to identify current weaknesses in frameworks and controls and recommend practical enhancements that will reduce your potential liability exposure. This may include product and feature changes/enhancements, customer vulnerability assessments, new transaction monitoring scenarios, or enhancements to your customer risk assessment model. We can also conduct targeted audits of existing controls, or provide assurance and validation of programme changes being introduced to meet the new reimbursement requirements.

Get in touch with our team to learn more.

Environmental, social and governance (ESG) considerations have become indispensable aspects of sustainable finance and responsible investing, generating a lot of attention and press coverage. Yet there is an important connection between ESG and financial crime which is seldom discussed.  Particularly, the harmful activities of environmental crime, such as illegal deforestation, wildlife trafficking, waste trafficking, and illegal mining, reap globally-felt negative consequences, which has prompted regulators and financial institutions to take action. Some estimates state that ESG regulations have increased by an astounding 155% over the past decade. The European Union, for example, has mandated corporate sustainability disclosures for large and listed companies since January 2023.  And in its most recent annual report, the European Banking Authority (EBA) highlighted the role of ESG risks in the prudential framework.

The three factors that comprise ESG are essential in assessing corporate reputation, investment risk, and sustainability. And both the undermining of ESG factors and the prevalence of financial crimes pose severe threats to firms and increase regulatory and financial risks. Additionally, as with all criminal activity, when ESG crimes occur, the proceeds must be laundered. This is where financial crime naturally overlaps with ESG.  A closer look at this intersection can provide valuable insight into how anti-financial crime compliance can further ESG objectives.

This article examines the relationship between ESG and anti-financial crime and the benefits of their integration, and takes a future view of how ESG will continue influencing anti-financial crime priorities and efforts.

E - Environmental 

As awareness and urgency to address climate change increase, harmful environmental practices have become more scrutinised. Climate action is no longer limited to individuals making voluntary eco-friendly choices but increasingly involves regulatory protections and legal requirements. 

Environmental crime threatens entire ecosystems, human health, and industries. It also reaps massive profits for criminals, being one of the most profitable crimes in the world. The latest figures estimate environmental crime generates $110-281 billion annually. Despite its profitability, environmental crime is perceived as a ‘low risk, high reward’ activity. A recent report on wildlife trafficking in Europe highlighted that because financial institutions lack knowledge of timber and wildlife trafficking typologies, suspicious financial transactions often go unnoticed. These unlawful activities are often linked to organised crime, corruption, and other illicit activities (e.g. environmental crimes such as illegal logging or waste trafficking reportedly fund non-state armed groups and militias, and have links to human trafficking and slave labour).

Environmental crime has been a predicate offence in Europe since the EU’s Sixth AML Directive came into effect in 2020. In the past few years, the global authority on anti-money laundering and counter-terrorism financing (AML/CTF), the Financial Action Task Force (FATF), has published various guidance papers on money laundering from environmental crime and the illegal wildlife trade, marking it as a new area of awareness for financial institutions. In the reports, the FATF draws attention to links to terrorist financing and other areas of criminality.  National regulators have also released specific guidance, such as in Canada and the United States. And last year, for the first time, the Basel AML Index included environmental crime data in its methodology.

Along with a deeper analysis of environmental crime is the recognition that it undermines the sustainability goals set by the ESG framework. As illicit proceeds from environmental crime are laundered, financial institutions face reputational risk, regulatory risk, and financial risk — all of which directly concern ESG-focused investors and financial institutions.

S- Social

One of the key components of the ‘social’ pillar of ESG is human rights. Human trafficking, forced labour and modern slavery generate illicit revenue that finds its way into the legitimate financial system, directly impacting anti-financial crime programmes. Awareness of these crimes has gained significant traction in the past decade, with FATF guidance on topics such as migrant smuggling and money laundering, legislation such as the UK’s  Modern Slavery Act of 2015, and frameworks for human-rights centred sanctions programmes such as the UK’s Global Human Rights Sanctions Regulation 2020.  

ESG regulation relating to the ‘social’ pillar is also an important area of focus in the US, evidenced by the Uyghur Forced Labor Prevention Act, which prohibits the importation of goods that were produced by forced labour in the Xinjiang Uyghur Autonomous Region of China, and has serious implications on supply chains. While other jurisdictions have shied away from a total ban, there have been sanctions for human rights violations against the Uyghurs in places like the UK and Canada, with consequences for financial institutions’ screening programmes.

Such instances underscore the need for financial institutions to be alert to the regulatory and reputational risks associated with emerging social issues within ESG, emphasising the importance of understanding the risk a customer poses.

G- Governance

Within the ESG framework, bribery and corruption are most clearly aligned with both the ‘governance’ pillar and anti-financial crime. Bribery and corruption have long been an area of focus for financial institutions in mitigating financial crime, evidenced by the need to employ special measures for managing politically exposed persons and treating them as higher risk customers. 

In updated guidance on anti-bribery and corruption (ABC) compliance programmes, the Wolfsberg Group stated that financial institutions should consider aligning their ABC programmes with “aspects of bribery and corruption risk which are connected to human rights or ESG concerns”. There have been recent reports of firms already including ESG factors within their ABC and financial crime risk rating systems and vetting clients, suppliers, and third party entities in vulnerable industries.

Integrating ESG principles with anti-financial crime strategies 

Overall, ESG is a high priority for regulators and will continue to gain significance with both official bodies and the general public.  This means that financial institutions should actively consider ESG risks as part of their risk-based approach and within their anti-financial crime programmes.

Concretely, this can mean:

• Conducting enhanced due diligence for individuals or businesses involved in industries with a higher ESG risk (e.g. forestry, animal-related businesses)

• Updating policies and risk appetite statements to account for ESG, and including ESG risk as part of business and customer risk assessments

• Including ESG risk triggers in adverse media screening

• Enhancing training on ESG risks for compliance staff, including exploring its connections to other areas of financial crime

Conclusion

Integrating ESG considerations into anti-financial crime strategies will become increasingly important as regulatory and industry bodies, like the FATF, focus on the financial aspect of environmental crimes, and as jurisdictions continue to legislate the ESG space. The connection between ESG principles and financial crime has critical implications in areas like risk assessments, screening, and due diligence. Recognising these ESG risks can mitigate financial risks, ensure regulatory compliance, and contribute to global sustainability goals. 

At FINTRAIL, we combine deep financial crime risk management with industry expertise to optimise your anti-financial crime programmes. We’re here to support you in creating robust policies and procedures; refining, enhancing or testing your systems and processes; and providing context-based training to your teams. Get in touch to find out how we can help you fortify your controls against ESG crimes and incorporate an ESG risk strategy in a practical and efficient way.

High-profile corporate scandals and collapses such as Wirecard, Carillion, BHS, and the infamous Enron case draw out one recurring theme - how to keep auditors accountable. Conflicts of interest, poor quality and lack of independence have been the hallmarks of the recent scrutiny on audit firms across the UK and globally. As a response, reform is underway within the UK; HM Treasury has announced plans to reform the audit sector to promote quality and competition.

Whilst these reforms focus on corporate reporting, they also raise other questions - should regulated firms reflect on their financial crime audit process and is it time to shake things up?

The value of conducting a financial crime audit cannot be understated - simply put, it helps identify issues and deficiencies in your anti-financial crime (AFC) controls and systems and supports your regulatory compliance. It has long been a regulatory requirement; the Financial Conduct Authority’s Financial Crime Handbook highlights an independent audit (internal or external) to monitor effectiveness of your AFC controls as a best practice. The European Banking Authority’s Guidelines on the Roles and Responsibilities of a Compliance Officer set out a clear expectation for annual independent (internal or external) AML audits to assess the effectiveness of controls, with the findings reported to senior management.  Many partner banks also require to see financial crime audits from their account holders, with some having approved provider lists or set criteria.

With regulatory scrutiny only increasing, it is clear that a ‘check-the-box’ approach to AFC is no longer sufficient. Regulators not only expect firms to conduct an audit but are insisting audits are robust and are conducted by experienced and skilled AFC experts. This reinforces the importance of having a strong audit partner alongside strong internal controls and oversight.

We know that when you have built a strong relationship with your auditor over a number of years and they know your business well, this can be hard to walk away from. But this is often a key reason to make the leap.

Only the largest businesses in the UK are required to change auditors on a regular basis. For most firms, there is no strict obligation and it’s up to the firms to realise when they may need a fresh look from a new objective partner.

Your needs and business relationships will shift with time and circumstances. And this means your auditing needs may change, too. Sometimes it’s quite clear you need - or want - a new auditor, other times less so. However, changing your auditor periodically can bring advantages to your firm, whether that be fresh insights, a new perspective, or deeper sectoral expertise. It can:

• Provide a new perspective - a new AFC audit firm may improve the robustness of your controls by asking different questions and taking a fresh look at your existing approach.  Having access to different industry leaders and tapping into their deep sectoral knowledge and experience may be a draw.

• Provide objectivity - if one audit firm has reviewed your controls and processes year-in year-out, it may be more difficult for them to be objective or proactive in identifying issues that have previously been overlooked.  Working with a new audit partner helps address this potential risk.

• Support the growth of your firm - as your firm grows you may start to offer new products or become more international, meaning that what was right for you in the past may not be right for you now. You may need an AFC audit firm with specific expertise in your current products, risks and markets.

• Improve the quality of your current engagement - how an AFC audit is delivered matters. Audits should not adopt a one-size-fits-all approach; the ability to customise them to your needs is key.  Rather than settling for your current audit partner for the sake of simplicity, consider if there are other firms that can offer you a better service.

• Increase value for money - price and service is often what this decision comes down too. A fair and competitive price from a firm equipped to respond to your needs quickly, with individuals willing to have open and frank discussions, will set a solid foundation for an effective and efficient audit. 

Overall, the considerations for finding the right AFC audit firm to support your needs are unique for each business. A high-value, quality audit partner will understand your type of business and its financial crime risks, know the industry well, and use that knowledge to translate information into valuable and actionable insights.  A firm that focuses on attention to detail, offers practical and implementable recommendations, provides a responsive service and establishes a trusted relationship will be the right firm for you - for a few years of course!

So what is FINTRAIL’s position?  While normally we are delighted when clients come back to us year after year, with audits we take a different view and practise what we preach!  In line with professional standards, we advise clients to rotate away from us after three years to allow for a fresh set of eyes to review their programme.  They can always come back to us down the line, but we know that rotating to another audit provider for at least a year or two will benefit them most in the long run.

On 7 June, the UK’s Payment Systems Regulator (PSR) published a policy statement outlining new requirements for reimbursing victims of authorised push payment (APP) fraud within the Faster Payments System.

What are the new requirements for APP fraud?

Once the regulations come into effect, currently slated for 2024, all payment service providers (PSPs) will be required to fully reimburse victims of APP fraud within five business days. There are exceptions for fraud or gross negligence by the payer, as well as an excess (value to be decided). The costs of reimbursement will be allocated equally between the sending and receiving PSPs, with a default 50:50 split. 

Why is this happening?

The need for a jolt to the system is clear; APP fraud has quickly become one of the most significant types of payment fraud globally.  The PSR reports that in 2022, there were around 207,000 reported cases on personal accounts with total losses of £485m (but notes this is likely an underestimate).

The authorities’ proposed solution as set out in this statement is also clear - shifting the onus for tackling APP fraud onto financial institutions and giving them a clear financial incentive to prevent it happening in the first place.   The PSR says that by adopting an outcome-based approach, it is giving the industry “the space to innovate and to choose how best to deliver the new reimbursement requirement” - i.e. moving away from tick-box compliance to focus on effectiveness. 

What does this mean for PSPs?

The implications for financial services firms are huge. For some, if they are not able to get their houses in order, the estimated costs could pose an existential threat large enough to put them out of business. We have spoken with industry contacts who have  told us that some institutions and EMI agents  are unlikely to survive under the new regime without significant changes, given how vulnerable they are to APP fraud. We know of estimated liability figures that are significant multiples above current fraud losses. Firms need to take meaningful, decisive action to protect themselves and their customers, to significantly improve how they identify inbound APP fraud related payments on their own books and identify and protect their customers as victims.

What does the PSR expect?

The PSR says it expects industry to start working “now” to implement the new requirements, beginning by allocating appropriate resources and understanding how they can meet the conditions. Specifically, firms should move towards adopting a stronger risk-based approach to payments, and make better decisions on when to intervene and hold or stop a payment. The PSR believes the requirements will lead firms to “innovate and develop effective, data-driven interventions to change customer behaviour” - a message that is music to FINTRAIL’s ears!

What can PSPs do?

So where should payment firms start?  There are numerous parts of an anti-financial crime framework which play a role in reducing APP Fraud exposure - all of which need to be assessed and enhanced:

• Customer due diligence, including identity verification

• Customers as victims; assessing vulnerability and improving awareness

• Customer risk assessments, considering payment sending and receiving exposure

• Ongoing monitoring, including transaction and other activity monitoring

• Operational enhancements to process monitoring interventions and reimbursement claims

• Responsiveness to peer institutions and law enforcement

• Use of internal data and financial intelligence

• Robust assurance of fraud controls

• Staff training

How can we help?

FINTRAIL is here to help PSPs adapt to the new requirements. Over the last five years we have worked with a range of institutions to successfully reduce their APP fraud exposure. With our proven track record we can offer a range of innovative, data-driven services to improve the effectiveness of your fraud controls and enable better identification of fraud risks.

For firms considering where to start, we can conduct a thorough, data-driven risk assessment to identify current weaknesses in frameworks and controls and recommend practical enhancements that will reduce your potential liability exposure. This may include product and feature changes/enhancements, customer vulnerability assessments, new transaction monitoring scenarios, or enhancements to your customer risk assessment model. We can also conduct targeted audits of existing controls, or provide assurance and validation of programme changes being introduced to meet the new reimbursement requirements.

Speak to our team to find out more

It’s no secret that fraud is one of the most pressing threats to financial institutions, exacerbated by stormy economic conditions. The most recent fraud report by UK Finance calls attention to post-pandemic unauthorised and authorised fraud trends, underlining the continuance of social engineering schemes which manipulate victims into forfeiting sensitive details or transferring funds. Overall, the report puts UK fraud losses at an outstanding £1.2 billion for 2022, which is equivalent to over £2,300 every minute.

These high fraud rates correlate with increasing regulatory expectations for firms to remedy weaknesses in their systems and controls. Most recently, the Financial Conduct Authority (FCA) emphasised fraud as a priority area in a Dear CEO letter outlining immediate actions for financial institutions to take.  These include the need to review risk appetite statements to ensure they adequately address the risk of fraud to customers, maintaining appropriate customer due diligence controls to prevent accounts from receiving proceeds of fraud, and regularly reviewing fraud prevention systems and controls to ensure effectiveness.

📢
To address recent regulatory guidance on fraud for financial institutions, FINTRAIL has increased the scope of our fraud assessments as part of our standard audit offering. To find out how we can support your audit process and associated fraud controls, get in touch with our team.

This priority area corresponds with the UK government’s express inclusion of fraud as part of the most recent Economic Crime Plan and the launch of its fraud strategy, which is one of the most progressive in the world. The focus on fraud is not isolated to the UK alone; the United State’s Financial Crimes Enforcement Network (FinCEN) has also made it clear that combating fraud is a top priority, with the Monetary Authority of Singapore (MAS) also funnelling resources into anti-fraud initiatives. In view of this, we can expect further regulatory attention and enforcement concerning fraud.

As fraud remains a huge and growing financial crime threat on a global scale, regulators will not only require firms to have robust fraud controls as part of an effective anti-financial programme but also increase their scrutiny of regulated entities in this area.  Having an appropriate fraud strategy and mitigation measures in place directly translates to effectiveness in anti-financial crime controls, meaning financial institutions should ensure and fortify their framework.

In light of this fraud threat landscape and the associated regulatory expectations, FINTRAIL has increased the scope of fraud assessment as part of our standard audit offering, and also created a fraud audit checklist to help ensure that your anti-financial crime framework is primed and prepared for the risks it faces.

Download your copy of our Fraud Controls Checklist:

What areas does the checklist cover?

In this post, we aim to take a close look at an often overlooked element of a good financial crime compliance programme - the process(es) of quality control (QC) and quality assurance (QA).   

It is one thing (a very good thing!) to have thorough policies and procedures and carefully designed controls, but it is another to understand if they are actually working properly. To this end, regulated institutions need to adopt frameworks to embed appropriate QC / QA practices. These activities are critical in ensuring the integrity of fincrime compliance processes, ensuring regulatory compliance, and safeguarding against illicit activities. In this article, we look at the significance of QC and QA and highlight their key components.

Definitions

First, let’s clear up a common area of confusion and clarify the difference between QC and QA. Both are crucial elements of a comprehensive compliance programme, but each serves a distinct purpose:

Considerations for Success

Quality Control

1. Ensure you map out all the processes which require QC.

2. Consider proportionality. How frequently should you perform QC?  What percentage of tasks are you performing QC on? 

3. Take a risk-based approach to QC. Increase the number / percentage of tasks checked for new joiners, poor performers or higher-risk scenarios.

4. Ensure you have sufficient resources to perform QC. 

5. Ensure you do something meaningful with the output, e.g. enhancing procedures or providing training.

Quality Assurance

1. Set out a QA monitoring programme for the year. You don’t need to do it all at once, and you may not need to cover everything in one year if you deem that appropriate.

2. Take a risk-based approach. Are there any areas that need an urgent deep dive? When was the last time particular controls received assurance? If you conducted QA on a process last year and the results were positive, maybe focus your time/resource somewhere else.

3. Be aware of regulatory changes and horizon scanning. 

4. Ensure you do something meaningful with the output, e.g. policy updates or system enhancements.  You should also feed the findings into your firm’s risk assessment to measure residual risks.

In conclusion, QC and QA are integral components of a robust financial crime compliance programme. By proactively implementing QA measures to improve processes and reacting swiftly to issues through QC practices, organisations can minimise the risk of illicit activities, safeguard their reputations, and comply with regulatory obligations.

Want to find out more about our services?