There is never a dull year in anti-financial crime, and 2023 was certainly no exception. From the introduction of the UK’s Economic Crime Bill, to new crypto laws including the EU’s regulation on markets in crypto-assets (MiCA), a global raft of sanctions against Russia, and legislative attempts to rein in the global fraud pandemic, there’s been plenty to keep on top of. 

It’s early days, but there seems no reason to believe 2024 will be any different.  We are already aware of several pieces of legislation due to come into effect this year, and various regulators have clearly signposted their current areas of focus via guidance notices and consultations with the industry.  So let’s read the tea leaves and see what financial institutions can expect in 2024!

FINTRAIL held a webinar on financial crime trends for 2024, and asked the audience what their main areas of focus were for the year ahead. This is how they responded at the end of the session.

Poll: What are your priorities and main areas of focus for 2024? Please select all applicable answers.

Fraud

Fraud is big global news. In the UK, for example, criminals stole over half a billion pounds in the first six months of 2023 alone¹. Traditional methods of deception are as popular as ever, and are being complemented by increasingly sophisticated cyber-attacks and intricate social engineering schemes. 

While regulators everywhere are acutely aware of the issue, the UK is leading the way in terms of a regulatory response.  In 2023, the Payment Services Regulator (PSR) undertook a multi-pronged approach to reduce authorised push payment (APP) fraud within the Faster Payments System, which is due to continue into 2024.  Here’s what to look out for: 

• New mandatory reimbursement requirements, announced in June 2023, are due to come into effect in October 2024. These will require both sending and receiving payment institutions to reimburse all victims of APP fraud in full based on a 50/50 split, with limited exceptions for fraud or gross negligence. Read more in our blog here.

• In 2024 the PSR will be publishing “league tables” of performance on APP fraud in 2023.  Last year’s report on 2022 data called out inconsistent outcomes for victims, and highlighted that certain receiving institutions took in a disproportionate volume of funds derived from APP fraud.  Expect to see more scrutiny of these areas in the 2024 report. Read more in our blog here.

• The coverage of the Confirmation of Payee scheme will be extended in October 2024, with all financial institutions that participate in Faster Payments or CHAPS required to implement the tool.

In other fraud news:

• The UK government launched its national Fraud Strategy in May 2023, which aims to reduce fraud by 10% on 2019 levels by December 2024.  The various measures announced under the strategy - such as a new national fraud squad, replacing Action Fraud with a new reporting system, cracking down on abuse of the telephone network, and engaging the tech industry - are ongoing.  Separately, the Home Affairs Committee inquiry into fraud launched in September 2023 will publish its results sometime this year.

• The FCA issued several guidance documents² on fraud in 2023, which implicitly set out what firms will be judged against in 2024.  The guidance highlighted issues with detecting and preventing money mules due to poor onboarding controls, transaction monitoring, training and governance; poor complaint handling; and poor understanding and response to customer vulnerability.

• A new corporate failure to prevent fraud was introduced in 2023 as part of the Economic Crime and Corporate Transparency Act. The offence is expected to come into force once the government has published guidelines in Spring 2024.
  

Anti-fraud measures are also being taken in other jurisdictions, albeit not at the same scale as in the UK.

• In the EU, the introduction of PSD3 revisions forecast for late 2024 will extend IBAN/name matching verification to all credit transfers, introduce an obligation for payment service providers (PSPs) to increase awareness of payment fraud among customers and staff, and establish a legal basis for PSPs to share fraud-related information in full respect of GDPR via dedicated IT platforms.  

• In the US, federal requirements to report company ownership to FinCEN’s Beneficial Ownership Information Registry went live on 1 January 2024, pursuant to the 2021 Corporate Transparency Act.  It is hoped this will increase corporate transparency and help reduce fraud.

• While there is no proposal on the horizon in the US for an accountability model or a common reimbursement scheme, the biggest US banks decided to begin refunding Zelle scam victims last year, a trend towards collective action which we could see reflected elsewhere alongside a push for greater consumer protection.

Sanctions

The various geopolitical events of 2023 played themselves out in the sanctions world, with new legislation and designations issued in relation to Russia, Hamas, Sudan, Iran and others.  Human rights violations, narcotrafficking and crypto scams were also all in the spotlight. 

• OFSI’s annual report for the financial year 2022 to 2023, published in December 2023, revealed that despite imposing “the most severe sanctions the UK has ever imposed on any major economy”³ on Russia, recording 473 suspected breaches and opening 172 investigations by April 2023, there has so far been zero enforcement for post-February 2022 sanctions breaches in relation to Russia. We predict 2024 will be a more active year for enforcement, as some of those investigations bear fruit.  

• We also predict continuing cooperation between OFSI and the FCA, with the former focusing on enforcement and the latter on ensuring effectiveness. The FCA conducted a targeted assessment of firms’ sanctions controls in 2023 and shared the good and bad practices observed⁴, which will likely form a benchmark for regulatory reviews in 2024.

• In the EU, we predict a push towards standardised enforcement across member states in 2024.  We understand states with a “less mature” track record of sanctions enforcement are being given firm instructions to up their game, as well as training and guidance to help them do so.

• In the US, we predict more of the same from OFAC in terms of the nature of sanctions regulations and enforcement, with the upcoming presidential election likely to shape the strategic priorities. 

• In December 2023, OFAC issued an Executive Order expanding the US’s ability to target financial institutions outside of Russia that facilitate transactions involving Russia’s military-industrial base.  We should see in 2024 how the US intends to use this new measure and whether it will be a significant weapon in its sanctions arsenal, and which Russia-tolerant countries are in the crosshairs.

PEPs

In 2023 the concept of Politically Exposed Persons (PEPs) entered the public consciousness in the UK like never before, with the scandal surrounding the closure of Nigel Farage’s bank account at Coutts and a subsequent review by the FCA into whether PEPs are being routinely denied access to financial services.  

Meanwhile we saw corruption scandals involving PEPs continue to emerge around the world, including two former Latin American presidents censured by the US government over allegations of corruption, a procurement scandal in the Ukrainian Ministry of Defense, ongoing revelations about the UK government’s awarding of contracts during the Covid-19 pandemic, and many more!  

Here’s what’s new for 2024:

• In the UK, new legislation came into effect on 10 January 2024 amending the Money Laundering and Terrorist Financing Regulations and mandating that the starting point for assessing the risk posed by domestic PEP clients is lower than non-domestic PEPs. Read more in FINTRAIL’s blog here.

• The FCA’s review of how financial institutions manage PEP clients, launched in September 2023, is due to be published in June 2024. It will cover how PEPs are defined, how their risk levels are assessed, whether firms are carrying out risk-based and proportionate enhanced due diligence, and how firms take decisions to reject or close PEP-related accounts.

• In similar moves in the Netherlands, the Dutch Banking Association and the Dutch Central Bank have announced that Dutch banks are also now expected to focus on individual customers’ actual risk profile and to take less invasive due diligence measures for lower-risk PEP clients.

How we can help

At FINTRAIL we help banks, payments institutions, e-money institutions, virtual asset service providers (VASPs) and other regulated institutions around the world to reduce their exposure to financial crime and ensure regulatory compliance.  We do this through the provision of the highest quality consultancy services, based on deep sectoral experience and pragmatism.

We offer support through:

• Consultancy projects and advisory services

• Transformation services

• Audits and assurance

• Remediations and regulatory enforcement support

• Outsourcing and flexible resources

• Training services

If you would like to discuss any of the topics raised above, or need help enhancing your anti-financial crime programme or ensuring your team is ready for the year ahead, please do get in touch.

¹. UK Finance Half Year Fraud Update 2023
² FCA’s "Proceeds of fraud - Detecting and preventing money mules" and “Anti-fraud controls and complaint handling”
³ OFSI Annual Review 2022-2023, Strengthening Our Sanctions
⁴ FCA, Sanctions Systems and Controls

In December 2023, the UK government announced changes to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLRs”) in relation to the treatment of Politically Exposed Persons (“PEPs”) entrusted with prominent public functions in the UK (“domestic PEPs”).  These changes came into force on 10 January 2024.

The update means that under the MLRs, when dealing with domestic PEPs (or a family member or known close associate of a domestic PEP) the starting point for banks and other regulated firms is to treat them as inherently lower risk than non-domestic PEPs. This means that firms must apply a lower level of enhanced due diligence (“EDD”) to domestic PEPs compared to non-domestic PEPs, unless other higher risk factors are present (i.e. risk factors other than the PEP status itself).

With this move, the government is encouraging regulated firms to take a more proportionate and risk-based approach to the treatment of domestic PEPs.  This follows reports that a number of individuals that hold a prominent public position have encountered difficulties accessing financing services.  

The new requirements largely mirror guidance previously published by the Financial Crime Authority (FCA) on the treatment of PEPs, but now enter into law for the first time.  In parallel with this regulatory change, the FCA is undertaking a review of the treatment of domestic PEPs, with a report due to be issued in June.

However, the proposed changes have not been universally well received by industry experts, and have caused elements of confusion around how they should be implemented.  For example, practitioners have questioned when enhanced measures will be applied and how higher risk factors will be identified, given the initial level of EDD is now low (i.e. how will firms know if there are any higher risk factors if they are not carrying out robust EDD?). The regulation is not prescriptive in this regard; and as such the onus is on firms to determine what “higher risk factors” may be and how they are to be determined by lower levels of EDD. This has raised the question of whether a firm that does not perform full EDD (per the regulations) and misses something will be deemed wilfully blind or reckless? Will it run the risk of regulatory blowback or prosecution? The upcoming FCA report may provide more clarity, given the speed with which the changes have entered into law, regulated institutions must use their own judgment in the meantime.

Commentators have also expressed concerns that the UK MLRs now do not align with the Financial Action Task Force (“FATF”) recommendations, specifically Recommendations 12 and 22 which require firms to implement measures to prevent the misuse of the financial system by PEPs, and Recommendation 10, which requires firms to take additional measures beyond performing normal customer due diligence on PEP customers. 

Given the regulatory focus on this topic, FINTRAIL has designed a checklist of points to consider for PEP customers across the anti-financial crime framework.

Download the PEP Guidance Checklist

What areas does the checklist cover?

As UK fraud watchers will be well aware, the UK’s Payment Systems Regulator (PSR) has embarked on a multi-pronged approach to reduce authorised push payment (APP) fraud within the Faster Payments System. As well as new mandatory reimbursement requirements due to come into effect in 2024, the PSR hopes to motivate regulated firms to improve their fraud controls by publishing performance data. This will show how much money connected to APP fraud is sent and received by each payment firm, and how firms perform when it comes to reimbursing victims.

The PSR has published the first ‘league tables’ today, showing data for 2022. The stats cover the UK’s 14 largest banking groups (‘directed firms’, which are obliged to report APP fraud data), plus nine other smaller firms that were among the top 20 highest receivers of fraud.

The performance tables will give firms that are successfully reducing APP fraud losses a competitive advantage, as they will enable customers to see how well individual banks perform in reducing fraud and how well they treat victims.

Key takeaways

1. There are inconsistent outcomes for customers reporting APP fraud. Some firms automatically reimburse victims nearly all of the time, others only make partial reimbursements, and others only consider claims in very narrow circumstances. This inconsistency should reduce with the introduction of mandatory reimbursement for all PSPs in 2024.

In terms of value reimbursed, the figures range from 91% (TSB) to 10% (Allied Irish Bank GB). In terms of volume, they range from 94% fully reimbursed plus 4% partially reimbursed (TBS), to 6% fully reimbursed plus 8% partially reimbursed (Monzo) and 12% fully reimbursed (Allied Irish Bank GB).

NB: PSRs are not currently required to reimburse victims of APP fraud. However, as of 2019, participants in the APP Contingent Reimbursement Model Voluntary Code (‘CRM Code’) have voluntarily agreed to reimburse fraud losses. To date there are nine firms signed up, representing the UK’s major banks with over 90% of the market in payment volumes. These firms would therefore be expected to have much higher reimbursement figures.
 

2. The data showing which firms receive the most money generated by APP fraud indicate a massive degree of variation, indicating fraudsters have identified which firms have weak controls and are actively exploiting them.  Newer and smaller PSPs typically have disproportionately higher rates of fraud than larger, more established firms.  The PSR notes these firms are in the much earlier stages of preventing fraud than major banks, and are not part of the voluntary CRM code. 

For non-directed PSPs (i.e. smaller firms), the rates of fraud-related funds received range from £10,355 per £1m received (Clear Junction) down to £334 (JP Morgan/Chase).  The figures were still widely discrepant but over a smaller range for directed PSPs, ranging from £696 per £1m received (Metro Bank) to just £44 (Santander).

Reasons for some firms having high rates of receiving fraud could include fewer, poor or delayed onboarding checks which would allow fraudsters to open and close accounts before being caught, or weaknesses in inbound transaction monitoring which prevent incoming fraudulent funds being identified and held.

NB: The PSR notes that some firms provide payment accounts to customers but do not manage the customer relationship themselves (e.g. banking-as-a-service providers).  The PSR states that irrespective of whether the firms manage the customer relationships themselves, they retain the regulatory responsibility and are expected to ensure their partners manage the risk of onboarding new customers, conducting identity checks, and monitoring transactions effectively.
 

3. Firms have started to address control gaps, and the PSR believes the situation may have improved over 2023 given greater levels of awareness and industry initiatives, but more still remains to be done.

Outcomes

While these figures date back to 2022, they conclusively show that there is a huge gulf in levels of exposure to APP fraud across the UK payment industry.  Many firms need to radically up their game to prevent themselves being used by fraudsters, and there is a clear imperative to do so given the incoming mandatory reimbursement requirements.  Put simply, unless the most exposed firms are able to reduce the value of fraudulent funds they receive, the resultant reimbursements could put them out of business.

The PSR has said it expects firms to start working “now” to implement the new requirements, beginning by allocating appropriate resources, moving towards adopting a stronger risk-based approach to payments, and making better decisions on when to intervene and hold or stop a payment. 

There are numerous anti-financial crime controls which play a role in reducing APP fraud exposure:

• Customer due diligence, including identity verification

• Customer risk assessments, including both customer as fraudsters (receiving funds) and victims (sending funds)

• Ongoing monitoring, including transaction and other activity monitoring

• Information sharing mechanisms and responsiveness to peer institutions and law enforcement

• Use of internal data and financial intelligence

• Robust assurance of fraud controls

• Staff training

How we can help

FINTRAIL is here to help PSPs adapt to the new requirements. Over the last five years we have worked with a range of institutions to successfully reduce their APP fraud exposure.

We offer a range of innovative, data-driven services to improve the effectiveness of your fraud controls and enable better identification of fraud risks. For firms considering where to start, we can conduct a thorough, data-driven risk assessment to identify current weaknesses in frameworks and controls and recommend practical enhancements that will reduce your potential liability exposure. This may include product and feature changes/enhancements, customer vulnerability assessments, new transaction monitoring scenarios, or enhancements to your customer risk assessment model. We can also conduct targeted audits of existing controls, or provide assurance and validation of programme changes being introduced to meet the new reimbursement requirements.

Get in touch with our team to learn more.

Environmental, social and governance (ESG) considerations have become indispensable aspects of sustainable finance and responsible investing, generating a lot of attention and press coverage. Yet there is an important connection between ESG and financial crime which is seldom discussed.  Particularly, the harmful activities of environmental crime, such as illegal deforestation, wildlife trafficking, waste trafficking, and illegal mining, reap globally-felt negative consequences, which has prompted regulators and financial institutions to take action. Some estimates state that ESG regulations have increased by an astounding 155% over the past decade. The European Union, for example, has mandated corporate sustainability disclosures for large and listed companies since January 2023.  And in its most recent annual report, the European Banking Authority (EBA) highlighted the role of ESG risks in the prudential framework.

The three factors that comprise ESG are essential in assessing corporate reputation, investment risk, and sustainability. And both the undermining of ESG factors and the prevalence of financial crimes pose severe threats to firms and increase regulatory and financial risks. Additionally, as with all criminal activity, when ESG crimes occur, the proceeds must be laundered. This is where financial crime naturally overlaps with ESG.  A closer look at this intersection can provide valuable insight into how anti-financial crime compliance can further ESG objectives.

This article examines the relationship between ESG and anti-financial crime and the benefits of their integration, and takes a future view of how ESG will continue influencing anti-financial crime priorities and efforts.

E - Environmental 

As awareness and urgency to address climate change increase, harmful environmental practices have become more scrutinised. Climate action is no longer limited to individuals making voluntary eco-friendly choices but increasingly involves regulatory protections and legal requirements. 

Environmental crime threatens entire ecosystems, human health, and industries. It also reaps massive profits for criminals, being one of the most profitable crimes in the world. The latest figures estimate environmental crime generates $110-281 billion annually. Despite its profitability, environmental crime is perceived as a ‘low risk, high reward’ activity. A recent report on wildlife trafficking in Europe highlighted that because financial institutions lack knowledge of timber and wildlife trafficking typologies, suspicious financial transactions often go unnoticed. These unlawful activities are often linked to organised crime, corruption, and other illicit activities (e.g. environmental crimes such as illegal logging or waste trafficking reportedly fund non-state armed groups and militias, and have links to human trafficking and slave labour).

Environmental crime has been a predicate offence in Europe since the EU’s Sixth AML Directive came into effect in 2020. In the past few years, the global authority on anti-money laundering and counter-terrorism financing (AML/CTF), the Financial Action Task Force (FATF), has published various guidance papers on money laundering from environmental crime and the illegal wildlife trade, marking it as a new area of awareness for financial institutions. In the reports, the FATF draws attention to links to terrorist financing and other areas of criminality.  National regulators have also released specific guidance, such as in Canada and the United States. And last year, for the first time, the Basel AML Index included environmental crime data in its methodology.

Along with a deeper analysis of environmental crime is the recognition that it undermines the sustainability goals set by the ESG framework. As illicit proceeds from environmental crime are laundered, financial institutions face reputational risk, regulatory risk, and financial risk — all of which directly concern ESG-focused investors and financial institutions.

S- Social

One of the key components of the ‘social’ pillar of ESG is human rights. Human trafficking, forced labour and modern slavery generate illicit revenue that finds its way into the legitimate financial system, directly impacting anti-financial crime programmes. Awareness of these crimes has gained significant traction in the past decade, with FATF guidance on topics such as migrant smuggling and money laundering, legislation such as the UK’s  Modern Slavery Act of 2015, and frameworks for human-rights centred sanctions programmes such as the UK’s Global Human Rights Sanctions Regulation 2020.  

ESG regulation relating to the ‘social’ pillar is also an important area of focus in the US, evidenced by the Uyghur Forced Labor Prevention Act, which prohibits the importation of goods that were produced by forced labour in the Xinjiang Uyghur Autonomous Region of China, and has serious implications on supply chains. While other jurisdictions have shied away from a total ban, there have been sanctions for human rights violations against the Uyghurs in places like the UK and Canada, with consequences for financial institutions’ screening programmes.

Such instances underscore the need for financial institutions to be alert to the regulatory and reputational risks associated with emerging social issues within ESG, emphasising the importance of understanding the risk a customer poses.

G- Governance

Within the ESG framework, bribery and corruption are most clearly aligned with both the ‘governance’ pillar and anti-financial crime. Bribery and corruption have long been an area of focus for financial institutions in mitigating financial crime, evidenced by the need to employ special measures for managing politically exposed persons and treating them as higher risk customers. 

In updated guidance on anti-bribery and corruption (ABC) compliance programmes, the Wolfsberg Group stated that financial institutions should consider aligning their ABC programmes with “aspects of bribery and corruption risk which are connected to human rights or ESG concerns”. There have been recent reports of firms already including ESG factors within their ABC and financial crime risk rating systems and vetting clients, suppliers, and third party entities in vulnerable industries.

Integrating ESG principles with anti-financial crime strategies 

Overall, ESG is a high priority for regulators and will continue to gain significance with both official bodies and the general public.  This means that financial institutions should actively consider ESG risks as part of their risk-based approach and within their anti-financial crime programmes.

Concretely, this can mean:

• Conducting enhanced due diligence for individuals or businesses involved in industries with a higher ESG risk (e.g. forestry, animal-related businesses)

• Updating policies and risk appetite statements to account for ESG, and including ESG risk as part of business and customer risk assessments

• Including ESG risk triggers in adverse media screening

• Enhancing training on ESG risks for compliance staff, including exploring its connections to other areas of financial crime

Conclusion

Integrating ESG considerations into anti-financial crime strategies will become increasingly important as regulatory and industry bodies, like the FATF, focus on the financial aspect of environmental crimes, and as jurisdictions continue to legislate the ESG space. The connection between ESG principles and financial crime has critical implications in areas like risk assessments, screening, and due diligence. Recognising these ESG risks can mitigate financial risks, ensure regulatory compliance, and contribute to global sustainability goals. 

At FINTRAIL, we combine deep financial crime risk management with industry expertise to optimise your anti-financial crime programmes. We’re here to support you in creating robust policies and procedures; refining, enhancing or testing your systems and processes; and providing context-based training to your teams. Get in touch to find out how we can help you fortify your controls against ESG crimes and incorporate an ESG risk strategy in a practical and efficient way.

Recent corporate scandals and collapses such as Wirecard, Carillion, BHS, and the infamous Enron case draw out one recurring theme - how to keep auditors accountable.  Conflicts of interest, poor quality and lack of independence have been the hallmarks of the recent scrutiny on audit firms across the UK and globally. As a response, reform is underway within the UK; HM Treasury has announced plans to reform the audit sector to promote quality and competition.

Whilst these reforms focus on corporate reporting, they also raise other questions - should regulated firms reflect on their financial crime audit process and is it time to shake things up?

The value of conducting a financial crime audit cannot be understated - simply put, it helps identify issues and deficiencies in your anti-financial crime (AFC) controls and systems and supports your regulatory compliance. It has long been a regulatory requirement; the Financial Conduct Authority’s Financial Crime Handbook highlights an independent audit (internal or external) to monitor effectiveness of your AFC controls as a best practice. The European Banking Authority’s Guidelines on the Roles and Responsibilities of a Compliance Officer set out a clear expectation for annual independent (internal or external) AML audits to assess the effectiveness of controls, with the findings reported to senior management.  Many partner banks also require to see financial crime audits from their account holders, with some having approved provider lists or set criteria.

With regulatory scrutiny only increasing, it is clear that a ‘check-the-box’ approach to AFC is no longer sufficient. Regulators not only expect firms to conduct an audit but are insisting audits are robust and are conducted by experienced and skilled AFC experts. This reinforces the importance of having a strong audit partner alongside strong internal controls and oversight.

We know that when you have built a strong relationship with your auditor over a number of years and they know your business well, this can be hard to walk away from. But this is often a key reason to make the leap.

Only the largest businesses in the UK are required to change auditors on a regular basis.  For most firms, there is no strict obligation and it’s up to the firms to realise when they may need a fresh look from a new objective partner.

Your needs and business relationships will shift with time and circumstances. And this means your auditing needs may change, too. Sometimes it’s quite clear you need - or want - a new auditor, other times less so. However, changing your auditor periodically can bring advantages to your firm, whether that be fresh insights, a new perspective, or deeper sectoral expertise. It can:

• Provide a new perspective - a new AFC audit firm may improve the robustness of your controls by asking different questions and taking a fresh look at your existing approach.  Having access to different industry leaders and tapping into their deep sectoral knowledge and experience may be a draw.

• Provide objectivity - if one audit firm has reviewed your controls and processes year-in year-out, it may be more difficult for them to be objective or proactive in identifying issues that have previously been overlooked.  Working with a new audit partner helps address this potential risk.

• Support the growth of your firm - as your firm grows you may start to offer new products or become more international, meaning that what was right for you in the past may not be right for you now. You may need an AFC audit firm with specific expertise in your current products, risks and markets.

• Improve the quality of your current engagement - how an AFC audit is delivered matters. Audits should not adopt a one-size-fits-all approach; the ability to customise them to your needs is key.  Rather than settling for your current audit partner for the sake of simplicity, consider if there are other firms that can offer you a better service.

• Increase value for money - price and service is often what this decision comes down too. A fair and competitive price from a firm equipped to respond to your needs quickly, with individuals willing to have open and frank discussions, will set a solid foundation for an effective and efficient audit. 

Overall, the considerations for finding the right AFC audit firm to support your needs are unique for each business. A high-value, quality audit partner will understand your type of business and its financial crime risks, know the industry well, and use that knowledge to translate information into valuable and actionable insights.  A firm that focuses on attention to detail, offers practical and implementable recommendations, provides a responsive service and establishes a trusted relationship will be the right firm for you - for a few years of course!

So what is FINTRAIL’s position?  While normally we are delighted when clients come back to us year after year, with audits we take a different view and practise what we preach!  In line with professional standards, we advise clients to rotate away from us after three years to allow for a fresh set of eyes to review their programme.  They can always come back to us down the line, but we know that rotating to another audit provider for at least a year or two will benefit them most in the long run.

On 7 June, the UK’s Payment Systems Regulator (PSR) published a policy statement outlining new requirements for reimbursing victims of authorised push payment (APP) fraud within the Faster Payments System.

What are the new requirements for APP fraud?

Once the regulations come into effect, currently slated for 2024, all payment service providers (PSPs) will be required to fully reimburse victims of APP fraud within five business days. There are exceptions for fraud or gross negligence by the payer, as well as an excess (value to be decided). The costs of reimbursement will be allocated equally between the sending and receiving PSPs, with a default 50:50 split. 

Why is this happening?

The need for a jolt to the system is clear; APP fraud has quickly become one of the most significant types of payment fraud globally.  The PSR reports that in 2022, there were around 207,000 reported cases on personal accounts with total losses of £485m (but notes this is likely an underestimate).

The authorities’ proposed solution as set out in this statement is also clear - shifting the onus for tackling APP fraud onto financial institutions and giving them a clear financial incentive to prevent it happening in the first place.   The PSR says that by adopting an outcome-based approach, it is giving the industry “the space to innovate and to choose how best to deliver the new reimbursement requirement” - i.e. moving away from tick-box compliance to focus on effectiveness. 

What does this mean for PSPs?

The implications for financial services firms are huge. For some, if they are not able to get their houses in order, the estimated costs could pose an existential threat large enough to put them out of business. We have spoken with industry contacts who have  told us that some institutions and EMI agents  are unlikely to survive under the new regime without significant changes, given how vulnerable they are to APP fraud. We know of estimated liability figures that are significant multiples above current fraud losses. Firms need to take meaningful, decisive action to protect themselves and their customers, to significantly improve how they identify inbound APP fraud related payments on their own books and identify and protect their customers as victims.

What does the PSR expect?

The PSR says it expects industry to start working “now” to implement the new requirements, beginning by allocating appropriate resources and understanding how they can meet the conditions. Specifically, firms should move towards adopting a stronger risk-based approach to payments, and make better decisions on when to intervene and hold or stop a payment. The PSR believes the requirements will lead firms to “innovate and develop effective, data-driven interventions to change customer behaviour” - a message that is music to FINTRAIL’s ears!

What can PSPs do?

So where should payment firms start?  There are numerous parts of an anti-financial crime framework which play a role in reducing APP Fraud exposure - all of which need to be assessed and enhanced:

• Customer due diligence, including identity verification

• Customers as victims; assessing vulnerability and improving awareness

• Customer risk assessments, considering payment sending and receiving exposure

• Ongoing monitoring, including transaction and other activity monitoring

• Operational enhancements to process monitoring interventions and reimbursement claims

• Responsiveness to peer institutions and law enforcement

• Use of internal data and financial intelligence

• Robust assurance of fraud controls

• Staff training

How can we help?

FINTRAIL is here to help PSPs adapt to the new requirements. Over the last five years we have worked with a range of institutions to successfully reduce their APP fraud exposure. With our proven track record we can offer a range of innovative, data-driven services to improve the effectiveness of your fraud controls and enable better identification of fraud risks.

For firms considering where to start, we can conduct a thorough, data-driven risk assessment to identify current weaknesses in frameworks and controls and recommend practical enhancements that will reduce your potential liability exposure. This may include product and feature changes/enhancements, customer vulnerability assessments, new transaction monitoring scenarios, or enhancements to your customer risk assessment model. We can also conduct targeted audits of existing controls, or provide assurance and validation of programme changes being introduced to meet the new reimbursement requirements.

Speak to our team to find out more

It’s no secret that fraud is one of the most pressing threats to financial institutions, exacerbated by stormy economic conditions. The most recent fraud report by UK Finance calls attention to post-pandemic unauthorised and authorised fraud trends, underlining the continuance of social engineering schemes which manipulate victims into forfeiting sensitive details or transferring funds. Overall, the report puts UK fraud losses at an outstanding £1.2 billion for 2022, which is equivalent to over £2,300 every minute.

These high fraud rates correlate with increasing regulatory expectations for firms to remedy weaknesses in their systems and controls. Most recently, the Financial Conduct Authority (FCA) emphasised fraud as a priority area in a Dear CEO letter outlining immediate actions for financial institutions to take.  These include the need to review risk appetite statements to ensure they adequately address the risk of fraud to customers, maintaining appropriate customer due diligence controls to prevent accounts from receiving proceeds of fraud, and regularly reviewing fraud prevention systems and controls to ensure effectiveness.

📢
To address recent regulatory guidance on fraud for financial institutions, FINTRAIL has increased the scope of our fraud assessments as part of our standard audit offering. To find out how we can support your audit process and associated fraud controls, get in touch with our team.

This priority area corresponds with the UK government’s express inclusion of fraud as part of the most recent Economic Crime Plan and the launch of its fraud strategy, which is one of the most progressive in the world. The focus on fraud is not isolated to the UK alone; the United State’s Financial Crimes Enforcement Network (FinCEN) has also made it clear that combating fraud is a top priority, with the Monetary Authority of Singapore (MAS) also funnelling resources into anti-fraud initiatives. In view of this, we can expect further regulatory attention and enforcement concerning fraud.

As fraud remains a huge and growing financial crime threat on a global scale, regulators will not only require firms to have robust fraud controls as part of an effective anti-financial programme but also increase their scrutiny of regulated entities in this area.  Having an appropriate fraud strategy and mitigation measures in place directly translates to effectiveness in anti-financial crime controls, meaning financial institutions should ensure and fortify their framework.

In light of this fraud threat landscape and the associated regulatory expectations, FINTRAIL has increased the scope of fraud assessment as part of our standard audit offering, and also created a fraud audit checklist to help ensure that your anti-financial crime framework is primed and prepared for the risks it faces.

Download your copy of our Fraud Controls Checklist:

What areas does the checklist cover?

In this post, we aim to take a close look at an often overlooked element of a good financial crime compliance programme - the process(es) of quality control (QC) and quality assurance (QA).   

It is one thing (a very good thing!) to have thorough policies and procedures and carefully designed controls, but it is another to understand if they are actually working properly. To this end, regulated institutions need to adopt frameworks to embed appropriate QC / QA practices. These activities are critical in ensuring the integrity of fincrime compliance processes, ensuring regulatory compliance, and safeguarding against illicit activities. In this article, we look at the significance of QC and QA and highlight their key components.

Definitions

First, let’s clear up a common area of confusion and clarify the difference between QC and QA. Both are crucial elements of a comprehensive compliance programme, but each serves a distinct purpose:

Considerations for Success

Quality Control

1. Ensure you map out all the processes which require QC.

2. Consider proportionality. How frequently should you perform QC?  What percentage of tasks are you performing QC on? 

3. Take a risk-based approach to QC. Increase the number / percentage of tasks checked for new joiners, poor performers or higher-risk scenarios.

4. Ensure you have sufficient resources to perform QC. 

5. Ensure you do something meaningful with the output, e.g. enhancing procedures or providing training.

Quality Assurance

1. Set out a QA monitoring programme for the year. You don’t need to do it all at once, and you may not need to cover everything in one year if you deem that appropriate.

2. Take a risk-based approach. Are there any areas that need an urgent deep dive? When was the last time particular controls received assurance? If you conducted QA on a process last year and the results were positive, maybe focus your time/resource somewhere else.

3. Be aware of regulatory changes and horizon scanning. 

4. Ensure you do something meaningful with the output, e.g. policy updates or system enhancements.  You should also feed the findings into your firm’s risk assessment to measure residual risks.

In conclusion, QC and QA are integral components of a robust financial crime compliance programme. By proactively implementing QA measures to improve processes and reacting swiftly to issues through QC practices, organisations can minimise the risk of illicit activities, safeguard their reputations, and comply with regulatory obligations.

Want to find out more about our services?

Say “risk assessment” to a financial crime compliance professional, and you’re sure to invoke hesitation or even fear.  Though mandatory, risk assessments can be daunting, resource-intensive exercises. With new typologies and financial crime threats emerging all the time, how can firms practically rethink risk assessments for a better and more effective approach? 

In a conversation with VP of EverC Melissa Sutherland, FINTRAIL’s CEO Robert Evans and Managing Director Maya Braine unpacked some of the essential considerations for rethinking risk assessments. As risk assessments are the bedrock of your financial crime programme, getting it right is fundamental to your overall success.

Key definitions

Upholding a risk-based approach

A risk assessment is a key component of adopting a risk-based approach. Two-pronged, the exercise involves identifying your firm’s potential risks and then critically assessing them. Which risks are more likely to occur?  What is the severity of their impact? This assessment process will help dictate how you prioritise and distribute your resources. Because compliance resources are finite, moving efforts to a higher-priority risk area will mean less attention to lower-priority areas. While many firms are reluctant to shift resources away from a threat, this triaging is intrinsic to a risk-based approach. We must recognise that low risk is not the same as no risk. However, by prioritising the mitigation measures for highly-likely and high-impact threats, you are taking a risk-based approach which is, ultimately, what regulators expect. 

As new financial crime risks continue to emerge, simply adding them to a risk assessment can make it unmanageable and unsustainable. To counter this, risks should be checked and challenged. Look at the evidence and ask: is this risk still present and relevant?  If not, should it be deprioritised or removed from the assessment? It’s vital to be proportionate with your risk assessment and consider removing extinct threats as well as adding new ones.  Otherwise, the process will balloon to unmanageable proportions and your resources and effectiveness will become diluted.

Establishing cadence

Risk assessments are typically conducted once a year; however, a strictly annual approach is outdated. Ideally, and depending on the nature of the firm, risk assessments should be updated more regularly. As new financial crime risks emerge and more data is available to the compliance function, risk assessments should be re-examined. Especially for rapidly scaling firms, setting up a dynamic approach to risk assessments, which is intrinsic to how the business grows and scales, is vital.

Once a risk assessment is established, cross-reference it with output indicators, such as SARs filed. Are the real risks observed in line with those in the risk assessment? By having a lookback process, you can simultaneously address any assumptions, such as one particular jurisdiction or sector being high-risk, as well as capture changes.

Data, data, data!

One common problem with risk assessments is they can often be based on assumptions rather than factual information.  Both internal and external data sources can give you more factual indicators of where your risks truly lie.  For instance, your internal data may show you which industry types regularly see suspicious activity and feature in more investigations or SARs, which will likely be more accurate than generic “high risk industry lists” which are not tailored to your firm.  

As firms get better at capturing and utilising multiple data points, it’s important to make sure you utilise all relevant information while avoiding being overwhelmed. Risk assessments should balance using consistent data points and incorporating newer, evolving data points. Consistent and high-quality data points are important for benchmarking so a firm can track its compliance efforts and identify trends. When deciding which data points to use, consider your most significant threats. For example, if fraud is a top concern, concentrating on device ID information or biometrics might make the most sense. Allow your top-risk concerns to guide you on where to focus your efforts and which granular data points to include.

Garner insights from business teams

Suspicious activities are typically anomalous. Understanding risk and atypical behaviour requires identifying what is typical as well. Involving other stakeholders in your firm, such as customer-facing teams like relationship managers, can give meaningful insight into what regular activity looks like. As these teams have more exposure to standard day-to-day activity, they can help the compliance department create a better picture of risk factors. Without engagement between business teams, firms may have a skewed perspective of risk. For early-stage firms, having meaningful discussions with the CEO or key founders can help determine: who is the target customer base, and how would a typical user use the product? 

Document your decisions

Unsurprisingly, it’s vital to document decisions and actions when it comes to your risk assessment.  Have a clear and articulate methodology statement: what methodology are you applying, and how do the calculations work? Use data to support your decisions. For example, if there have been no SARs filed or transaction monitoring alerts raised for a particular typology, then document that as part of your justification for its removal or de-prioritisation.

At FINTRAIL, we combine deep financial crime risk management with industry expertise to optimise your anti-financial crime programmes. With extensive experience assisting financial services businesses with building and conducting their enterprise and product risk assessments and customer risk assessments, we’re here to support you.

While environmental issues are front and centre of public discourse, environmental crime often takes a backseat. Yet environmental crime impacts every country and is considered ‘low risk, high reward,’ meaning those who commit it face inadequate consequences despite reaping massive financial gains.

Environmental crime is one of the most profitable proceeds-generating crimes in the world, with the latest figures estimating it generates $110-281 billion annually, in line with the likes of drug trafficking and counterfeit goods. The repercussions of environmental crimes are far-reaching and potentially catastrophic, including climate change and ecological disasters, disease risk, food contamination, and negative impacts on human health including reduced life expectancy and death. And it’s not just the impact of the environmental crime itself - these nefarious activities fund non-state armed groups and militia, making up 38% of their income, and have links to human trafficking and slave labour.

Given its status as a growing threat, the European Union added environmental crime to its list of predicate offences in the Sixth AML Directive. However, it remains a difficult crime to identify due to its wide-reaching nature. This article looks at two areas in which organised crime groups (OCGs) have involved themselves, forestry crime and waste trafficking, and identifies ways for financial institutions to tackle the issue.

Illegal deforestation and logging 🌲🪵

Forestry crimes can generally be grouped into two camps: illegal logging and land clearing.

Illegal logging - When timber is harvested, processed, transported, bought, or sold in breach of laws and regulations
Illicit land clearing - The unlawful acquisition and clearing of land for farming, building or real estate speculation

Both of these types of green crime often involve deep-seated corruption, from illegally-obtained logging licences to illegal timber plantations. A recent investigation by the International Consortium of Journalists (ICIJ) exposes how unregulated the forestry industry is, with ‘green certifications’ being given to products linked to illegal clear-cutting and authoritarian regimes such as in Myanmar.

Beyond the obvious destruction of wildlife and ecosystems, illegal logging destroys communities, causes human rights violations, and causes massive tax revenue losses for governments. Like in wildlife trafficking, intermediaries, exporters, and retailers stand to make the bulk of profits, with lower-level actors in the supply chain receiving only minimal amounts of the proceeds. As illegal logging is the most profitable natural resource crime in the world, bribery, fraud, and corruption are commonplace. Criminals have even resorted to hacking government websites to obtain permits. 

One difficulty with identifying illegal logging is the tendency for criminals to commingle goods, blending illegal wood with legally sourced timber. Illegal goods like tinder are challenging to differentiate from their legal counterparts, unlike narcotics which are easier to identify.

Waste trafficking  🗑

Garbage is big money and dirty business. A grossly under-discussed crime, waste trafficking is a lucrative business estimated to generate $10-12 billion annually. Illegal activities concerning waste trafficking involve trade that violates import or export bans (for example, the Basel Convention, which bans the movement of hazardous waste from OECD countries to developing countries) or the illegal and improper treatment of waste through disposal, incineration, or recycling. 

Both legitimate waste management businesses and criminal organisations can engage in illicit waste trafficking, with the latter often using legitimate waste management companies. With this strategy, criminals can easily blend illicit proceeds with legitimate funds, masking their nefarious origin. Criminals may also forge documents to mislabel waste as recycling or second-hand goods or to miscategorise hazardous waste as non-hazardous.

Illegal dumping

OCGs using waste management front companies employ sub-standard disposal or storage processes, sometimes engaging in illegal dumping. These practices have tremendous cleanup costs and pose a direct threat to public safety. One example that made headlines worldwide was the Camorra, an Italian mafia group centred around Naples, that burned toxic waste in the Italian countryside for decades, contributing to increased cancer rates. More recently, a 46-hectare site in Northern Ireland, known as the Mobuoy dump, was exposed as one of Europe’s largest illegal waste sites. As a result of Mobuoy, toxins have leached into the groundwater and river, causing serious health effects on communities and the ecosystem. Among the dangerous materials are asbestos and arsenic, with a cleanup cost estimated to be £100 million.

Sadly, because of the trajectory of global waste flows, most illicit waste ends up in the developing world. In its research, the Financial Action Task Force (FATF) identifies parts of Sub-Saharan Africa, Southeast Asia, and Central and South America as primary destinations. However, recent media reports have revealed Romania and Bulgaria as growing sites for illicit waste from Western Europe.

Aside from the environmental impacts, the waste industry has ties to human trafficking as a source of cheap labour. According to one non-profit organisation, two-thirds of modern slavery victims have worked within the waste industry in the UK. There is growing evidence that illicit waste trafficking is converging with other illegal goods, including instances of waste businesses used as a front for prostitution and drug trafficking. In one case, cocaine and other narcotics were hidden in garbage to avoid detection, before being shipped to Turkey.

Laundering the proceeds of environmental crime 💵

Money laundering methods for environmental crimes are similar to other predicate offences. Front companies and front persons are commonly used to commingle profits with varying degrees of sophistication, though experts have noted waste trafficking operations can be less complex than forestry crimes.

Like other transnational crimes, shell companies are frequently used to hide beneficial owners. In addition to intermediaries such as lawyers, accountants, trust and corporate service providers, freight forwarders and customs brokers play a notable role in facilitating the illicit trade. Trade-based money laundering techniques are also used, including forging import and export documents, under- or over-invoicing, issuing multiple invoices of goods, over-shipments and under-shipments, or the complete fabrication of transactions.

What should financial institutions be doing?

For financial institutions looking to strengthen their anti-financial crime programmes against environmental crime, assessing screening procedures is vital. Non-governmental organisations that focus on reporting and investigating environmental crimes can help firms identify bad actors, with links identified through adverse media screening. Additionally, financial institutions should consider putting customers involved in higher-risk industries such as forestry, wildlife, and waste management under enhanced due diligence measures.

At FINTRAIL, we combine deep financial crime risk management with industry expertise to optimise your anti-financial crime programmes. We’re here to support you in creating robust policies and procedures; refining, enhancing or testing your systems and processes; and providing context-based training to your teams. Get in touch to find out how we can help you fortify your controls against environmental crimes in a practical and efficient way.