Financial Crime Guide

Financial Crime Guide:
A firm’s guide to
countering financial
crime risks (FCG)
FC Contents
Financial Crime Guide: A firm’s guide to countering

financial crime risks (FCG)
FCG 1 Introduction
1.1 What is the FCG?

1.2 How to use the FCG
1.3 Format of the FCG
1.4 Further ﬁnancial crime information
FCG 2 Financial crime systems and controls
2.1 Introduction
2.2 Themes
2.3 Further guidance
FCG 3 Money laundering and terrorist ﬁnancing
3.1 Introduction
3.2 Themes
3.4 Sources of further information
FCG 4 Fraud
4.1 Introduction
4.2 Themes
FCG 5 Data security
5.1 Introduction
5.2 Themes
FCG 6 Bribery and corruption
6.1 Introduction
6.2 Themes
FC–i www.handbook.fca.org.uk ■ Release 36 ● Feb 2019

FC Contents
FCG 7 Sanctions and asset freezes
7.1 Introduction
7.2 Themes
FCG 8 Insider dealing and market manipulation
8.1 Introduction
8.2 Themes
FCG Annex Common terms
1 Common terms
■ Release 36 ● Feb 2019 www.handbook.fca.org.uk FC–ii

FC Contents
FC–iii www.handbook.fca.org.uk ■ Release 36 ● Feb 2019

Financial Crime Guide: A firm’s guide to countering financial crime risks (FCG)
Chapter 1
Introduction
■ Release 36 ● Feb 2019 www.handbook.fca.org.uk FCG 1/1

FCG 1 : Introduction Section 1.1 : What is the FCG?
1
1.1 What is the FCG?
1.1.1 FCG provides practical assistance and information for firms of all sizes and
across all FCA-supervised sectors on actions they can take to counter the risk
that they might be used to further financial crime. Its contents are drawn
primarily from FCA and FSA thematic reviews, with some additional material
included to reflect other aspects of our financial crime remit.
1.1.2 Effective systems and controls can help firms to detect, prevent and deter
financial crime.FCG provides guidance on financial crime systems and
controls, both generally and in relation to specific risks such as money
laundering, bribery and corruption and fraud. Annexed to FCG is a list of
common and useful terms. ■ FCG Annex 1 is provided for reference purposes
only and is not a list of ‘defined terms’. Where a word or phrase is in italics,
its definition will be the one used for that word or phrase in the Glossary to
the FCA Handbook.
1.1.3 FCTR provides summaries of, and links to, FSA (now the FCA) thematic
reviews of various financial crime risks and sets out the full examples of good
and poor practice that were included with the reviews’ findings.
1.1.4 We will keep FCG under review and will continue to update it to reflect the
findings of future thematic reviews, enforcement actions and other FCA
publications and to cover emerging risks and concerns.
1.1.5 The material in FCG does not form part of the Handbook, but it does contain
guidance on Handbook rules and principles, particularly:
•■ SYSC 3.2.6R and ■ SYSC 6.1.1R, which require firms to establish and
maintain effective systems and controls to counter the risk that they
might be used to further financial crime;
•Principles 1 (integrity), 2 (skill, care and diligence), 3 (management

and control) and 11 (relations with regulators) of our Principles for
Businesses, which are set out in ■ PRIN 2.1.1R;
•the Statements of Principle for Approved Persons set out in

■ APER 2.1A.3R and the conduct rules set out in ■ COCON 2.1 and ■ 2.2;
and
•in relation to guidance on money laundering, the rules in

■ SYSC 3.2.6 to ■ SYSC 3.2.6 IR and ■ SYSC 6.3 (Financial crime).
FCG 1/2 www.handbook.fca.org.uk ■ Release 36 ● Feb 2019

FCG 1 : Introduction Section 1.1 : What is the FCG?
Where FCG refers to guidance in relation to SYSC requirements, this may also
be relevant to compliance with the corresponding Principle in our Principles 1
for Businesses and corresponding requirements in the Payment Services
Regulations and the Electronic Money Regulations.
1.1.6 Direct references in FCG to requirements set out in our rules or other legal
provisions include a cross reference to the relevant provision.
1.1.7 FCG contains ‘general guidance’ as defined in section 139B of the Financial
Services and Markets Act 2000 (FSMA). The guidance is not binding and we
will not presume that a firm’s departure from our guidance indicates that it
has breached our rules.
1.1.8 Our focus, when supervising firms, is on whether they are complying with
our rules and their other legal obligations. Firms can comply with their
financial crime obligations in ways other than following the good practice
set out in FCG. But we expect firms to be aware of what we say where it
applies to them and to consider applicable guidance when establishing,
implementing and maintaining their anti-financial crime systems and
controls. More information about FCA guidance and its status can be found
in our Reader’s Guide: an introduction to the Handbook; ■ DEPP 6.2.1G(4) and
■ EG 2.9.1G – ■ 2.9.6G.
1.1.9 FCG also contains guidance on how firms can meet the requirements of the
Money Laundering Regulations and the EU Funds Transfer Regulation. While
the relevant parts of the guide that refer to the Money Laundering
Regulations may be ‘relevant guidance’ under these regulations, it is not
approved by HM Treasury.
1.1.10 The Joint Money Laundering Steering Group’s (JMLSG) guidance for the UK
financial sector on the prevention of money laundering and combating
terrorist financing is ‘relevant guidance’ and is approved by HM Treasury
under the Money Laundering Regulations. As confirmed in ■ DEPP 6.2.3G,
■ EG 12.1.2G and ■ EG 19.15.5G, the FCA will continue to have regard to
whether firms have followed the relevant provisions of JMLSG’s guidance
when deciding whether conduct amounts to a breach of relevant
requirements.
1.1.11 FCG is not a standalone document; it does not attempt to set out all
applicable requirements and should be read in conjunction with existing
laws, rules and guidance on financial crime. If there is a discrepancy between
FCG and any applicable legal requirements, the provisions of the relevant
requirement prevail. If firms have any doubt about a legal or other provision
or their responsibilities under FSMA or other relevant legislation or
requirements, they should seek appropriate professional advice.

FCG 1 : Introduction Section 1.2 : How to use the FCG
1
1.2 How to use the FCG
1.2.1. Who should read this chapter? This paragraph indicates the types of firm to
which the material applies. A reference to ‘all firms’ in the body of the
chapter means all firms to which the chapter is applied at the start of the
chapter.
1.2.2 Each section discusses how firms tackle a different type of financial crime.
Sections open with a short passage giving context to what follows. In FCG
we use:
•‘must’ where provisions are mandatory because they are required by

legislation or our rules
•‘should’ to describe how we would normally expect a firm to meet

its financial crime obligations while acknowledging that firms may be
able to meet their obligations in other ways, and
•‘may’ to describe examples of good practice that go beyond basic

compliance.
1.2.3 Firms should apply the guidance in a risk-based, proportionate way taking
into account such factors as the nature, size and complexity of the firm. For
example:
•We say in ■ FCG 2.2.1G (Governance) that senior management should

actively engage in a firm’s approach to addressing financial crime
risk. The level of seniority and degree of engagement that is
appropriate will differ based on a variety of factors, including the
management structure of the firm and the seriousness of the risk.
•We ask in ■ FCG 3.2.5G (Ongoing monitoring) how a firm monitors

transactions to spot potential money laundering. While we expect
that a global retail bank that carries out a large number of customer
transactions would need to include automated systems in its
processes if it is to monitor effectively, a small firm with low
transaction volumes could do so manually.
•We say in ■ FCG 4.2.1G (General – preventing losses from fraud) that
it is good practice for firms to engage with relevant cross-industry
efforts to combat fraud. A national retail bank is likely to have a
greater exposure to fraud, and therefore to have more information
to contribute to such efforts, than a small local building society, and
we would expect this to be reflected in their levels of engagement.

FCG 1 : Introduction Section 1.3 : Format of the FCG
1
1.3 Format of the FCG
Financial crime: a guide for firms

......................................................................................................
1.3.1 FCG looks at key aspects of firms’ efforts to counter different types of crime.
It is aimed at firms big and small; material will not necessarily apply to all
situations. If guidance is specific to certain types of firm, this is indicated by
italics.
Self-assessment questions:
•These questions will help you to consider whether your firm’s

approach is appropriate. (Text in brackets expands on this.)
•The FCA may follow similar lines of inquiry when discussing

financial crime issues with firms.
•The questions draw attention to some of the key points firms

should consider when deciding how to address a financial crime issue
or comply with a financial crime requirement.
Examples of good practice Examples of poor practice

• This list provides illustrative • This list provides illustrative
examples of good practices. examples of poor practices.
• Good practice examples are • Poor practice examples are
drawn from conduct seen in also drawn from conduct seen
firms during thematic work in during thematic work.
relation to financial crime.
• We would draw comfort from • Some show a lack of commit-
seeing evidence that these ment, others fall short of our
practices take place. expectations; some, as indic-
ated in the text, may breach
regulatory requirements or be
criminal offences.
• Note that if these practices • These do not identify all cases
are lacking it may not be a where conduct may give rise
problem. The FCA would con- to regulatory breaches or crim-
sider whether a firm has inal offences.
taken other measures to meet
its obligations.
Case studies and other information

......................................................................................................
1.3.2 Most sections contain case studies outlining occasions when a person’s
conduct fell short of the regulatory expectations, and enforcement action
followed; or information on topics relevant to the section.

FCG 1 : Introduction Section 1.4 : Further financial crime
information
1
1.4 Further financial crime information
1.4.1 Where to find out more:
•Most sections close with some sources of further information..
•This includes cross-references to relevant guidance in FCTR.
•It also includes links to external websites and materials. Although

the external links are included to assist readers of FCG, we are not
responsible for the content of these, as we neither produce nor
maintain them

Financial crime systems and controls
Chapter 2
Financial crime systems and

controls

FCG 2 : Financial crime systems Section 2.1 : Introduction
and controls
2.1 Introduction
2
2.1.1 Who should read this chapter? This chapter applies to all firms subject to the
financial crime rules in ■ SYSC 3.2.6R or ■ SYSC 6.1.1R. It also applies to e-
money institutions and payment institutions within our supervisory scope.
2.1.2 The Annex I financial institutions which we supervise for compliance with
their obligations under the Money Laundering Regulations are not subject to
the financial crime rules in SYSC. But the guidance in this chapter applies to
them as it can assist them to comply with their obligations under the
Regulations.
2.1.3 All firms must take steps to defend themselves against financial crime, but a
variety of approaches is possible. This chapter provides guidance on themes
that should form the basis of managing financial crime risk. The general
topics outlined here are also relevant in the context of the specific financial
crime risks detailed in subsequent chapters. See ■ SYSC 6.1.1R and
■ SYSC 3.2.6R.

FCG 2 : Financial crime systems Section 2.2 : Themes
and controls
2.2 Themes
2
Governance
......................................................................................................
2.2.1 We expect senior management to take clear responsibility for managing
financial crime risks, which should be treated in the same manner as other
risks faced by the business. There should be evidence that senior
management are actively engaged in the firm’s approach to addressing the
risks. In considering senior management arrangements in the Guide, firms
should consider their arrangements to comply with the Senior Managers and
Certification Regime (SM&CR).
[Editor’s note: see https://www.fca.org.uk/firms/senior-managers-certification-
regime]
•When did senior management, including the board or appropriate

sub-committees, last consider financial crime issues? What action
followed discussions?
•How are senior management kept up to date on financial crime

issues? (This may include receiving reports on the firm’s performance
in this area as well as ad hoc briefings on individual cases or
emerging threats.)
•Is there evidence that issues have been escalated where warranted?

• Senior management set the • There is little evidence of
right tone and demonstrate senior staff involvement and
leadership on financial crime challenge in practice.
issues.
• A firm takes active steps to • A firm concentrates on nar-
prevent criminals taking ad- row compliance with min-
vantage of its services. imum regulatory standards
and has little engagement
with the issues.
• We would draw comfort from • Financial crime issues are
seeing evidence that these dealt with on a purely react-
practices take place. ive basis.
• A firm has a strategy for self- • There is no meaningful record
improvement on financial or evidence of senior manage-
crime. ment considering financial
crime risks.
• There are clear criteria for es-
calating financial crime issues.

and controls
Management information (MI)

......................................................................................................
2.2.2 MI should provide senior management with sufficient information to
understand the financial crime risks to which their firm is exposed. This will
2 help senior management effectively manage those risks and adhere to the
firm’s own risk appetite. MI should be provided regularly and ad hoc, as risk
dictates.
Examples of financial crime MI include:
•an overview of the financial crime risks to which the firm is

exposed, including information about emerging risks and any
changes to the firm’s risk assessment
•legal and regulatory developments and the impact these have on

the firm’s approach
•an overview of the effectiveness of the firm’s financial crime systems

and controls
•an overview of staff expenses, gifts and hospitality and charitable

donations, including claims that were rejected, and
•relevant information about individual business relationships, for

example:
the number and nature of new business relationships, in
particular those that are high risk
the number and nature of business relationships that were
terminated due to financial crime concerns
the number of transaction monitoring alerts
details of any true sanction hits, and
information about suspicious activity reports considered or
submitted, where this is relevant.
MI may come from more than one source, for example the compliance
department, internal audit, the MLRO or the nominated officer.
Structure
......................................................................................................
2.2.3 Firms’ organisational structures to combat financial crime may differ. Some
large firms will have a single unit that coordinates efforts and which may
report to the head of risk, the head of compliance or directly to the CEO.
Other firms may spread responsibilities more widely. There is no one ‘right
answer’ but the firm’s structure should promote coordination and
information sharing across the business.
•Who has ultimate responsibility for financial crime matters,

particularly: a) anti-money laundering; b) fraud prevention; c) data
security; d) countering terrorist financing; e) anti-bribery and
corruption and f) financial sanctions?
•Do staff have appropriate seniority and experience, along with clear
reporting lines?

and controls
•Does the structure promote a coordinated approach and

accountability?
•Are the firm’s financial crime teams adequately resourced to carry

out their functions effectively? What are the annual budgets for 2
dealing with financial crime, and are they proportionate to the risks?
•In smaller firms: do those with financial crime responsibilities have

other roles? (It is reasonable for staff to have more than one role,
but consider whether they are spread too thinly and whether this
may give rise to conflicts of interest.)

• Financial crime risks are ad- • The firm makes no effort to
dressed in a coordinated man- understand or address gaps in
ner across the business and in- its financial crime defences.
formation is shared readily.
• Management responsible for • Financial crime officers are
financial crime are sufficiently relatively junior and lack ac-
senior as well as being cred- cess to senior management.
ible, independent, and ex- They are often overruled with-
perienced. out documented justification.
• A firm has considered how • Financial crime departments
counter-fraud and anti-money are under-resourced and
laundering efforts can senior management are reluct-
complement each other. ant to address this.
• A firm has a strategy for self-
improvement on financial
crime.
• The firm bolsters insufficient
in-house knowledge or re-
source with external expert-
ise, for example in relation to
assessing financial crime risk
or monitoring compliance
with standards.
Risk assessment
......................................................................................................
2.2.4 A thorough understanding of its financial crime risks is key if a firm is to
apply proportionate and effective systems and controls.
A firm should identify and assess the financial crime risks to which it is
exposed as a result of, for example, the products and services it offers, the
jurisdictions it operates in, the types of customer it attracts, the complexity
and volume of transactions, and the distribution channels it uses to service its
customers. Firms can then target their financial crime resources on the areas
of greatest risk.
A business-wide risk assessment – or risk assessments – should:
•be comprehensive and consider a wide range of factors – it is not

normally enough to consider just one factor
•draw on a wide range of relevant information – it is not normally

enough to consider just one source, and

and controls
•be proportionate to the nature, scale and complexity of the firm’s

activities.
Firms should build on their business-wide risk assessment or risk assessments

2 to determine the level of risk associated with individual relationships. This
should:
•enable the firm to take a holistic view of the risk associated with
the relationship, considering all relevant risk factors, and
•enable the firm to apply the appropriate level of due diligence to

manage the risks identified.
The assessment of risk associated with individual relationships can inform,

but is not a substitute for, business-wide risk assessments.
Firms should regularly review both their business-wide and individual risk
assessments to ensure they remain current.
•What are the main financial crime risks to the business?
•How does your firm seek to understand the financial crime risks it
faces?
•When did the firm last update its risk assessment?
•How do you identify new or emerging financial crime risks?
•Is there evidence that risk is considered and recorded systematically,

assessments are updated and sign-off is appropriate?
•Who challenges risk assessments and how? Is this process sufficiently

rigorous and well-documented?
•How do procedures on the ground adapt to emerging risks? (For

example, how quickly are policy manuals updated and procedures
amended?)

• The firm’s risk assessment is • Risk assessment is a one-off
comprehensive. exercise.
• Risk assessment is a continu- • Efforts to understand risk are
ous process based on the best piecemeal and lack coor-
information available from in- dination.
ternal and external sources.
• The firm assesses where risks • Risk assessments are in-
are greater and concentrates complete.
its resources accordingly.
• The firm actively considers the • The firm targets financial
impact of crime on customers. crimes that affect the bottom
line (e.g. fraud against the
firm) but neglects those

and controls

where third parties suffer
(e.g. fraud against customers).
2
• The firm considers financial
crime risk when designing
new products and services.
Policies and procedures

......................................................................................................
2.2.5 A firm must have in place up-to-date policies and procedures appropriate to
its business. These should be readily accessible, effective and understood by
all relevant staff.
•How often are your firm’s policies and procedures reviewed, and at
what level of seniority?
•How does it mitigate the financial crime risks it identifies?
•What steps does the firm take to ensure that relevant policies and
procedures reflect new risks or external events? How quickly are any
necessary changes made?
•What steps does the firm take to ensure that staff understand its
policies and procedures?
•For larger groups, how does your firm ensure that policies and
procedures are disseminated and applied throughout the business?

• There is clear documentation • A firm has no written policies
of a firm’s approach to com- and procedures.
plying with its legal and regu-
latory requirements in rela-
tion to financial crime.
• Policies and procedures are • The firm does not tailor ex-
regularly reviewed and ternally produced policies and
updated. procedures to suit its business.
• Internal audit or another inde- • The firm fails to review pol-
pendent party monitors the ef- icies and procedures in light
fectiveness of policies, proced- of events.
ures, systems and controls.
• The firm fails to check
whether policies and proced-
ures are applied consistently
and effectively.
• A firm has not considered
whether its policies and pro-
cedures are consistent with its
obligations under legislation
that forbids discrimination.
See ■ SYSC 3.2.6R and ■ SYSC 6.1.1R.

and controls
Staff recruitment, vetting, training, awareness and

remuneration
......................................................................................................
2.2.6 Firms must employ staff who possess the skills, knowledge and expertise to
2 carry out their functions effectively. They should review employees’
competence and take appropriate action to ensure they remain competent
for their role. Vetting and training should be appropriate to employees’
roles.
Firms should manage the risk of staff being rewarded for taking
unacceptable financial crime risks. In this context, Remuneration Principle
12(h), as set out in ■ SYSC 19A.3.51R and ■ 19A.3.52E, may be relevant to firms
subject to the Remuneration Code.
•What is your approach to vetting staff? Do vetting and

management of different staff reflect the financial crime risks to
which they are exposed?
•How does your firm ensure that its employees are aware of financial
crime risks and of their obligations in relation to those risks?
•Do staff have access to training on an appropriate range of financial

crime risks?
•How does the firm ensure that training is of consistent quality and
is kept up to date?
•Is training tailored to particular roles?
•How do you assess the effectiveness of your training on topics

related to financial crime?
•Is training material relevant and up to date? When was it last

reviewed?

• •
• Staff in higher risk roles are • Staff are not competent to
subject to more thorough carry out preventative func-
vetting. tions effectively, exposing the
firm to financial crime risk.
• Temporary staff in higher risk • Staff vetting is a one-off
roles are subject to the same exercise.
level of vetting as permanent
members of staff in similar
roles.
• Where employment agencies • The firm fails to identify
are used, the firm periodically changes that could affect an
satisfies itself that the agency individual’s integrity and
is adhering to the agreed vet- suitability.
ting standard.
• Tailored training is in place to • The firm limits enhanced vet-
ensure staff knowledge is ad- ting to senior management
equate and up to date. roles and fails to vet staff
whose roles expose them to
higher financial crime risk.

and controls

• New staff in customer-facing • The firm fails to identify
positions receive financial whether staff whose roles ex-
crime training tailored to pose them to bribery and cor- 2
their role before being able ruption risk have links to rel-
to interact with customers. evant political or administrat-
ive decision-makers.
• Training has a strong practical • Poor compliance records are
dimension (e.g. case studies) not reflected in staff ap-
and some form of testing. praisals and remuneration.
• The firm satisfies itself that • Training dwells unduly on le-
staff understand their respons- gislation and regulations ra-
ibilities (e.g. computerised ther than practical examples.
training contains a test).
• Whistleblowing procedures • Training material is not kept
are clear and accessible, and up to date.
respect staff confidentiality.
• The firm fails to identify train-
ing needs.
• There are no training logs or
tracking of employees’ train-
ing history.
• Training content lacks man-
agement sign-off.
• Training does not cover
whistleblowing and escala-
tion procedures.
Quality of oversight
......................................................................................................
2.2.7 A firm’s efforts to combat financial crime should be subject to challenge. We
expect senior management to ensure that policies and procedures are
appropriate and followed.
•How does your firm ensure that its approach to reviewing the
effectiveness of financial crime systems controls is comprehensive?
•What are the findings of recent internal audits and compliance

reviews on topics related to financial crime?
•How has the firm progressed remedial measures?

• Internal audit and compliance • Compliance unit and audit te-
routinely test the firm’s de- ams lack experience in finan-
fences against financial crime, cial crime matters.
including specific financial
crime threats.

and controls

• Decisions on allocation of com- • Audit findings and compli-
pliance and audit resource are ance conclusions are not
2 risk-based. shared between business un-
its. Lessons are not spread
more widely.
• Management engage con-
structively with processes of
oversight and challenge.
• Smaller firms seek external
help if needed.

FCG 2 : Financial crime systems Section 2.3 : Further guidance
and controls

2
2.3.1 FCTR contains the following additional guidance on governance:
• ■ FCTR 6.3.1G (Governance), from the FSA’s thematic review Data

security in Financial Services
• ■ FCTR 8.3.1G (Senior management responsibility) from the FSA’s

thematic review Financial services firms’ approach to UK financial
sanctions
• ■ FCTR 9.3.1G (Governance and management information) from the

FSA’s thematic review Anti-bribery and corruption in commercial
insurance broking
• ■ FCTR 11.3.1G (Governance, culture and information sharing) from

the FSA’s thematic review Mortgage fraud against lenders
2.3.2 FCTR contains the following additional guidance on risk assessment:
• ■ FCTR 8.3.2G (Risk assessment) from the FSA’s thematic review

Financial services firms’ approach to UK financial sanctions
• ■ FCTR 9.3.2G (Risk assessment and responses to significant bribery

and corruption events) from the FSA’s thematic review Anti-bribery
and corruption in commercial insurance broking
• ■ FCTR 10.3.7G (Responsibilities and risk assessments) from the FSA’s

thematic review The Small Firms Financial Crime Review
• ■ FCTR 12.3.3G (High risk customers and PEPs – Risk assessment) and
(Correspondent banking – Risk assessment of respondent banks) from
the FSA’s thematic review Banks’ management of high money
laundering risk situations
2.3.3 FCTR contains the following additional guidance on policies and procedures:
• ■ FCTR 8.3.3G (Policies and procedures) from the FSA’s thematic

review Financial services firms’ approach to UK financial sanctions
• ■ FCTR 10.3.1G (Regulatory/Legal obligations) from the FSA’s

thematic review The Small Firms Financial Crime Review

FCG 2 : Financial crime systems Section 2.3 : Further guidance
and controls
• ■ FCTR 12.3.2G (High risk customers and PEPs – AML policies and
procedures) from the FSA’s thematic review Banks’ management of
high money laundering risk situations
2
2.3.4 FCTR contains the following additional guidance on staff recruitment,
vetting, training and awareness:
• ■ FCTR 6.3.2G (Training and awareness) and ■ FCTR 6.3.3G (Staff

recruitment and vetting) from the FSA’s thematic review Data
security in Financial Services
• ■ FCTR 8.3.4G (Staff training and awareness) from the FSA’s thematic
review Financial services firms’ approach to UK financial sanctions
• ■ FCTR 9.3.5G (Staff recruitment and vetting) and ■ FCTR 9.3.6G

(Training and awareness) from the FSA’s thematic review Anti-bribery
and corruption in commercial insurance broking
• ■ FCTR 10.3.6G (Training) from the FSA’s thematic review The Small
Firms Financial Crime Review
• ■ FCTR 11.3.6G (Staff recruitment and vetting) and ■ FCTR 11.3.8G

(Staff training and awareness) from the FSA’s thematic review
Mortgage fraud against lenders laundering risk situations
2.3.5 FCTR contains the following additional guidance on quality of oversight:
• ■ FCTR 6.3.15G (Internal audit and compliance monitoring) from the

FSA’s thematic review Data security in Financial Services
• ■ FCTR 9.3.9G (The role of compliance and internal audit) from the
FSA’s thematic review Anti-bribery and corruption in commercial
insurance broking
• ■ FCTR 11.3.5G (Compliance and internal audit) from the FSA’s

thematic review Mortgage fraud against lenders
2.3.6 For firms’ obligations in relation to whistleblowers see the Public Interest
Disclosure Act 1998: www.legislation.gov.uk/ukpga/1998/23/contents

Money laundering and terrorist financing
Chapter 3
Money laundering and

terrorist financing

FCG 3 : Money laundering and Section 3.1 : Introduction
terrorist financing
3.1 Introduction
3.1.1 Who should read this chapter? This section applies to all firms who are
subject to the money laundering provisions in ■ SYSC 3.2.6A – J or ■ SYSC 6.3. It
also applies to Annex I financial institutions and e-money institutions for
whom we are the supervisory authority under the Money Laundering
Regulations.
3.1.2 This guidance does not apply to payment institutions, which are supervised
for compliance with the Money Laundering Regulations by HM Revenue and
Customs. But it may be of interest to them, to the extent that we may refuse
to authorise them, or remove their authorisation, if they do not satisfy us
that they comply with the Money Laundering Regulations.
3.1.3 This guidance is less relevant for those who have more limited anti-money
laundering (AML) responsibilities, such as mortgage brokers, general insurers
and general insurance intermediaries. But it may still be of use, for example,
to assist them in establishing and maintaining systems and controls to reduce
the risk that they may be used to handle the proceeds from crime; and to
meet the requirements of the Proceeds of Crime Act 2002 to which they are
subject.
3.1.4 ■ FCG 3.2.2G (The Money Laundering Reporting Officer (MLRO)) applies only
to firms who are subject to the money laundering provisions in
■ SYSC 3.2.6A – J or ■ SYSC 6.3, except it does not apply to sole traders who
have no employees.
3.1.5 ■ FCG 3.2.13G (Customer payments) applies to banks subject to ■ SYSC 6.3.
3.1.6 The guidance in this chapter relates both to our interpretation of

requirements of the Money Laundering Regulations and to the financial
crime and money laundering provisions of ■ SYSC 3.2.6R – ■ 3.2.6JG,
■ SYSC 6.1.1R and ■ SYSC 6.3.
3.1.7 The Joint Money Laundering Steering Group (JMLSG) produces detailed
guidance for firms in the UK financial sector on how to comply with their
legal and regulatory obligations related to money laundering and terrorist
financing. FCG is not intended to replace, compete or conflict with the
JMLSG’s guidance, which should remain a key resource for firms.

FCG 3 : Money laundering and Section 3.1 : Introduction
terrorist financing
3.1.7A The European Supervisory Authorities (ESAs) have produced guidelines that
firms should consider when assessing the ML/TF risk associated with a
business relationship or occasional transaction. The Money Laundering
Regulations require firms subject to the regulations to take account of these
guidelines when complying with the customer due diligence requirements in
Regulations 33 and 37.
3
3.1.8 When considering a firm’s systems and controls against money laundering
and terrorist financing, we will consider whether the firm has followed
relevant provisions of the JMLSG’s guidance, guidance issued by the FCA or
taken account of the ESA guidelines.

FCG 3 : Money laundering and Section 3.2 : Themes
terrorist financing
3.2 Themes
Governance
......................................................................................................
3.2.1 The guidance in ■ FCG 2.2.1G on governance in relation to financial crime also
applies to money laundering. We expect senior management to take
responsibility for the firm’s anti-money laundering (AML) measures. This
includes knowing about the money laundering risks to which the firm is
exposed and ensuring that steps are taken to mitigate those risks effectively.
Regulation 21(1)(a) of the Money Laundering Regulations requires that
where appropriate with regard to the size and nature of its business, firms
subject to the regulations must appoint one individual who is a member of
its board of directors (or if there is no board, of its equivalent management
body) or of its senior management as the officer responsible for compliance
with the regulations. Regulation 21(3) also requires the appointment of a
nominated officer. Regulation 21(4) requires a firm to inform their
supervisory authority of the identity of the individual appointed (including
any subsequent appointments) within 14 days of such appointment.
As ■ SYSC 6.3.9R and ■ SYSC 3.2.6IR also require firms subject to those
provisions to have an MLRO, the FCA expects that this individual can be the
same individual appointed under Regulation 21(1)(a) and/or 21(3) of the
Money Laundering Regulations and so firms do not need to make a separate
notification to the FCA.
•Who has overall responsibility for establishing and maintaining

effective AML controls? Are they sufficiently senior?
•What are the reporting lines?
•Do senior management receive informative, objective information

that is sufficient to enable them to meet their AML obligations?
•How regularly do senior management commission reports from the

MLRO? (This should be at least annually.) What do they do with the
reports they receive? What follow-up is there on any
recommendations the MLRO makes?
•How are senior management involved in approving relationships

with high risk customers, including politically exposed persons (PEPs)?

terrorist financing

• Reward structures take ac- • There is little evidence that
count of any failings related AML is taken seriously by
to AML compliance. senior management. It is seen
as a legal or regulatory neces-
sity rather than a matter of
true concern for the business. 3
• Decisions on accepting or • Senior management attach
maintaining high money laun- greater importance to the risk
dering risk relationships are re- that a customer might be in-
viewed and challenged inde- volved in a public scandal,
pendently of the business rela- than to the risk that the cus-
tionship and escalated to tomer might be corrupt or
senior management or otherwise engaged in finan-
committees. cial crime.
• Documentation provided to • The board never considers
senior management to inform MLRO reports.
decisions about entering or
maintaining a business rela-
tionship provides an accurate
picture of the risk to which
the firm would be exposed if
the business relationship were
established or maintained.
• A UK parent undertaking • A UK branch or subsidiary
meets the obligations under uses group policies which do
Regulation 20 of the Money not comply fully with UK AML
Laundering Regulations in- legislation and regulatory re-
cluding ensuring that AML pol- quirements.
icies, controls and procedures
apply to all its branches and
subsidiaries outside the UK.
The Money Laundering Reporting Officer (MLRO)

......................................................................................................
3.2.2 This section applies to firms who are subject to the money laundering
provisions in ■ SYSC 3.2.6A – J or ■ SYSC 6.3, except it does not apply to sole
traders who have no employees.
Firms to which this section applies must appoint an individual as MLRO. The
MLRO is responsible for oversight of the firm’s compliance with its anti-
money laundering obligations and should act as a focal point for the firm’s
AML activity.
•Does the MLRO have sufficient resources, experience, access and

seniority to carry out their role effectively?
•Do the firm’s staff, including its senior management, consult the
MLRO on matters relating to money-laundering?
•Does the MLRO escalate relevant matters to senior management

and, where appropriate, the board?
•What awareness and oversight does the MLRO have of the highest
risk relationships?

terrorist financing

• The MLRO is independent, • The MLRO lacks credibility
knowledgeable, robust and and authority, whether be-
well-resourced, and poses ef- cause of inexperience or lack
fective challenge to the busi- of seniority.
ness where warranted.
3 • The MLRO has a direct re- • The MLRO does not under-
porting line to executive man- stand the policies they are sup-
agement or the board. posed to oversee or the ration-
ale behind them.
• The MLRO of a firm which is a
member of a group has not
considered whether group
policy adequately addresses
UK AML obligations.
• The MLRO is unable to re-
trieve information about the
firm’s high-risk customers on
request and without delay
and plays no role in mon-
itoring such relationships.
See ■ SYSC 3.2.6IR and ■ SYSC 6.3.9R.
Risk assessment
......................................................................................................
3.2.3 The guidance in ■ FCG 2.2.4G on risk assessment in relation to financial crime
also applies to AML.
The assessment of money laundering risk is at the core of the firm’s AML
effort and is essential to the development of effective AML policies and
procedures. A firm is required by Regulation 18 of the Money Laundering
Regulations to undertake a risk assessment.
Firms must therefore put in place systems and controls to identify, assess,
monitor and manage money laundering risk. These systems and controls
must be comprehensive and proportionate to the nature, scale and
complexity of a firm’s activities. Firms must regularly review their risk
assessment to ensure it remains current.
•Which parts of the business present greater risks of money

laundering? (Has your firm identified the risks associated with
different types of customer or beneficial owner, product,
transactions, business line, geographical location and delivery
channel (e.g. internet, telephone, branches)? Has it assessed the
extent to which these risks are likely to be an issue for the firm?)
•How does the risk assessment inform your day-to-day operations?

(For example, is there evidence that it informs the level of customer
due diligence you apply or your decisions about accepting or
maintaining relationships?)

terrorist financing

• There is evidence that the firm’s risk • An inappropriate risk
assessment informs the design of anti- classification system
money laundering controls. makes it almost imposs-
ible for a relationship to
be classified as ‘high
risk’. 3
• The firm has identified good sources • Higher risk countries are
of information on money laundering allocated low-risk scores
risks, such as National Risk Assess- to avoid enhanced due
ments, ESA Guidelines, FATF mutual diligence measures.
evaluations and typology reports,
NCA alerts, press reports, court judge-
ments, reports by non-governmental
organisations and commercial due dili-
gence providers.
• Consideration of money laundering • Relationship managers
risk associated with individual busi- are able to override cus-
ness relationships takes account of fac- tomer risk scores with-
tors such as: out sufficient evidence
to support their
company structures;
decision.
political connections;
country risk;
the customer’s or beneficial
owner’s reputation;
source of wealth;
source of funds;
expected account activity;
sector risk; and
involvement in public contracts.
• The firm identifies where there is a • Risk assessments on
risk that a relationship manager money laundering are
might become too close to customers unduly influenced by
to identify and take an objective view the potential profitabil-
of the money laundering risk. It man- ity of new or existing re-
ages that risk effectively. lationships.
• The firm cannot evid-
ence why customers are
rated as high, medium
or low risk.
• A UK branch or subsidi-
ary relies on group risk
assessments without as-
sessing their compliance
with UK AML re-
quirements.
See regulation 18 of the Money Laundering Regulations, ■ SYSC 3.2.6AR,
■ SYSC 3.2.6CR, ■ SYSC 6.3.1R and ■ SYSC 6.3.3R.
Customer due diligence (CDD) checks

......................................................................................................
3.2.4 Firms must identify their customers and, where applicable, their beneficial
owners, and then verify their identities. Firms must also understand the
purpose and intended nature of the customer’s relationship with the firm

terrorist financing
and collect information about the customer and, where relevant, beneficial
owner. This should be sufficient to obtain a complete picture of the risk
associated with the business relationship and provide a meaningful basis for
subsequent monitoring.
In situations where the money laundering risk associated with the business
relationship is increased, banks must carry out additional, enhanced due
3 diligence (EDD). ■ FCG 3.2.8G below considers enhanced due diligence.
Where a firm cannot apply customer due diligence measures, including
where a firm cannot be satisfied that it knows who the beneficial owner is, it
must not enter into, or continue, the business relationship.
•Does your firm apply customer due diligence procedures in a risk-

sensitive way?
•Do your CDD processes provide you with a comprehensive

understanding of the risk associated with individual business
relationships?
•How does the firm identify the customer’s beneficial owner(s)? Are
you satisfied that your firm takes risk-based and adequate steps to
verify the beneficial owner’s identity in all cases? Do you understand
the rationale for beneficial owners using complex corporate
structures?
•Are procedures sufficiently flexible to cope with customers who

cannot provide more common forms of identification (ID)?

• A firm which uses e.g. • Procedures are not risk-based: the firm
electronic verification applies the same CDD measures to prod-
checks or PEPs data- ucts and customers of varying risk.
bases understands
their capabilities and
limitations.
• The firm can cater for • The firm has no method for tracking
customers who lack whether checks on customers are
common forms of ID complete.
(such as the socially ex-
cluded, those in care,
etc).
• The firm understands • The firm allows language difficulties or
and documents the customer objections to get in the way
ownership and control of proper questioning to obtain neces-
structures (including sary CDD information.
the reasons for any
complex or opaque cor-
porate structures) of
customers and their be-
neficial owners.
• The firm obtains in- • Staff do less CDD because a customer is
formation about the referred by senior executives or influen-
purpose and nature of tial people.
the business relation-
ship sufficient to be sat-
isfied that it under-

terrorist financing

stands the associated
money laundering risk.
• Staff who approve new • The firm has no procedures for dealing
or ongoing business re- with situations requiring enhanced due
lationships satisfy diligence. This breaches the Money
themselves that the Laundering Regulations. 3
firm has obtained ad-
equate CDD informa-
tion before doing so.
• The firm fails to consider:
any individuals who ultimately
control more than 25% of shares
or voting rights of a corporate
customer;
any individuals who exercise con-
trol over the management of a
corporate customer; and
any individuals who control the
body corporate
when identifying and verifying the cus-
tomer’s beneficial owners. This
breaches the Money Laundering Re-
gulations.
See regulations 5, 6, 27, 28, 31 33, 34 and 35 of the Money Laundering
Regulations.
Ongoing monitoring
......................................................................................................
3.2.5 A firm must conduct ongoing monitoring of its business relationships on a
risk-sensitive basis. Ongoing monitoring means scrutinising transactions to
ensure that they are consistent with what the firm knows about the
customer, and taking steps to ensure that the firm’s knowledge about the
business relationship remains current. As part of this, firms must keep
documents, data and information obtained in the CDD context (including
information about the purpose and intended nature of the business
relationship) up to date. It must apply CDD measures where it doubts the
truth or adequacy of previously obtained documents, data or information
(see ■ FCG 3.2.4G).
Where the risk associated with the business relationship is increased, firms
must carry out enhanced ongoing monitoring of the business relationship.
■ FCG 3.2.9G provides guidance on enhanced ongoing monitoring.
•How are transactions monitored to spot potential money

laundering? Are you satisfied that your monitoring (whether
automatic, manual or both) is adequate and effective considering
such factors as the size, nature and complexity of your business?
•Does the firm challenge unusual activity and explanations provided

by the customer where appropriate?

terrorist financing
•How are unusual transactions reviewed? (Many alerts will be false

alarms, particularly when generated by automated systems. How
does your firm decide whether behaviour really is suspicious?)
•How do you feed the findings from monitoring back into the
customer’s risk profile?
3 Examples of good practice Examples of poor practice

• A large retail firm • The firm fails to take ad-
complements its other efforts equate measures to under-
to spot potential money laun- stand the risk associated with
dering by using an automated the business relationship and
system to monitor is therefore unable to conduct
transactions meaningful monitoring.
• Where a firm uses automated • The MLRO can provide little
transaction monitoring sys- evidence that unusual transac-
tems, it understands their cap- tions are brought to their
abilities and limitations. attention.
• Small firms are able to apply • Staff always accept a cus-
credible manual procedures to tomer’s explanation for un-
scrutinise customers’ usual transactions at face
behaviour. value and do not probe
further.
• The ‘rules’ underpinning mon- • The firm does not take risk-
itoring systems are under- sensitive measures to ensure
stood by the relevant staff CDD information is up to
and updated to reflect new date. This is a breach of the
trends. Money Laundering Re-
gulations.
• The firm uses monitoring re-
sults to review whether CDD
remains adequate.
• The firm takes advantage of
customer contact as an oppor-
tunity to update due diligence
information.
• Customer-facing staff are en-
gaged with, but do not con-
trol, the ongoing monitoring
of relationships.
• The firm updates CDD in-
formation and reassesses the
risk associated with the busi-
ness relationship where mon-
itoring indicates material
changes to a customer’s
profile.
See regulations 27, 28(11), 33, 34 of the Money Laundering Regulations.
Source of wealth and source of funds

......................................................................................................
3.2.6 Establishing the source of funds and the source of wealth can be useful for
ongoing monitoring and due diligence purposes because it can help firms
ascertain whether the level and type of transaction is consistent with the
firm’s knowledge of the customer. It is a requirement where the customer is
a PEP.

terrorist financing
‘Source of wealth’ describes how a customer or beneficial owner acquired

their total wealth.
‘Source of funds’ refers to the origin of the funds involved in the business
relationship or occasional transaction. It refers to the activity that generated
the funds, for example salary payments or sale proceeds, as well as the
means through which the customer’s or beneficial owner’s funds were
transferred. 3
The JMLSG’s guidance provides that, in situations where the risk of money
laundering/terrorist financing is very low and subject to certain conditions,
firms may assume that a payment drawn on an account in the customer’s
name with a UK, EU or equivalent regulated credit institution satisfied the
standard CDD requirements. This is sometimes referred to as ‘source of funds
as evidence’ and is distinct from ‘source of funds’ in the context of
Regulation 28(11) and Regulations 33 and 35 of the Money Laundering
Regulations and of FCG. Nothing in FCG prevents the use of ‘source of funds
as evidence’ in situations where this is appropriate.
Where the customer is either a PEP, a family member of a PEP or known
close associate of a PEP, a firm may have regard to guidance issued by the
FCA on the treatment of PEPs.
[Editor’s Note: see https://www.fca.org.uk/publications/finalised-guidance/
fg17-6-treatment-politically-exposed-persons-peps-money-laundering.]
Handling higher risk situations

......................................................................................................
3.2.7 The law requires that firms’ anti-money laundering policies and procedures
are sensitive to risks. This means that in higher risk situations, firms must
apply enhanced due diligence and ongoing monitoring. Situations that
present a higher money laundering risk might include, but are not restricted
to: customers linked to higher risk countries or business sectors; or who have
unnecessarily complex or opaque beneficial ownership structures; and
transactions which are unusual, lack an obvious economic or lawful purpose,
are complex or large or might lend themselves to anonymity.
The Money Laundering Regulations also set out some scenarios in which
specific enhanced due diligence measures have to be applied:
•Correspondent relationships: where a correspondent credit

institution or financial institution is outside the EEA, the UK credit or
financial institution should apply EDD measures commensurate to the
risk of the relationship. This can include in higher risk situations
thoroughly understanding its correspondent’s business, reputation,
and the quality of its defences against money laundering and
terrorist financing. Senior management must also give approval
before establishing a new correspondent relationship. JMLSG
guidance sets out how firms should apply EDD in differing
correspondent trading relationships.
•Politically exposed persons (PEPs), family members and known

close associates of a PEP: a PEP is a person entrusted with a
prominent public function, other than as a middle-ranking or more
junior official. PEPs (as well as their family members and known close
associates) must be subject to enhanced scrutiny. A senior manager at
an appropriate level of authority must also approve the initiation of
a business relationship with a PEP (or with a family member, or
known close associate, of a PEP). This includes approving a
relationship continuing with an existing customer who became a PEP

terrorist financing
after the relationship begun. In meeting these obligations firms may

have regard to the FCA’s guidance on a risk-based approach to PEPs.
•Business relationships or transactions with a person established in a

high risk third countries: the Money Laundering Regulations define a
high-risk third country as being one identified by the EU Commission
by a delegated act. See EU Regulation 2016/1675 (as amended from
3 time to time).
•Other transactions: EDD must be performed:

() in any case where a transaction is complex and unusually large, or
there is an unusual pattern of transactions, and the transaction or
transactions have no apparent economic or legal purpose.
() in any other case which by its nature can present a higher risk of
money laundering or terrorist financing.
The extent of enhanced due diligence measures that a firm undertakes can
be determined on a risk-sensitive basis. The firm must be able to
demonstrate that the extent of the enhanced due diligence measures it
applies is commensurate with the money laundering and terrorist financing
risks.
See regulations 19, 20, 21, 28(16), 33 and 34 of the Money Laundering
Regulations.
Handling higher risk situations – enhanced due diligence (EDD)

......................................................................................................
3.2.8 Firms must apply EDD measures in situations that present a higher risk of
money laundering.
EDD should give firms a greater understanding of the customer and their
associated risk than standard due diligence. It should provide more certainty
that the customer and/or beneficial owner is who they say they are and that
the purposes of the business relationship are legitimate; as well as increasing
opportunities to identify and deal with concerns that they are not.
■ FCG 3.2.3G considers risk assessment.
The extent of EDD must be commensurate to the risk associated with the
business relationship or occasional transaction but firms can decide, in most
cases, which aspects of CDD they should enhance. This will depend on the
reason why a relationship or occasional transaction was classified as high
risk.
Examples of EDD include:
•obtaining more information about the customer’s or beneficial

owner’s business
•obtaining more robust verification of the beneficial owner’s identity

based on information from a reliable and independent source
•gaining a better understanding of the customer’s or beneficial

owner’s reputation and/or role in public life and assessing how this
affects the level of risk associated with the business relationship
•carrying out searches on a corporate customer’s directors or other

individuals exercising control to understand whether their business or
integrity affects the level of risk associated with the business
relationship

terrorist financing
•establishing how the customer or beneficial owner acquired their

wealth to be satisfied that it is legitimate
•establishing the source of the customer’s or beneficial owner’s funds

to be satisfied that they do not constitute the proceeds from crime.
3
•How does EDD differ from standard CDD? How are issues that are
flagged during the due diligence process followed up and resolved?
Is this adequately documented?
•How is EDD information gathered, analysed, used and stored?
•What involvement do senior management or committees have in

approving high risk customers? What information do they receive to
inform any decision-making in which they are involved?

• The MLRO (and their team) • Senior management do not
have adequate oversight of give approval for taking on
all high risk relationships. high risk customers. If the cus-
tomer is a PEP or a non-EEA
correspondent , this breaches
the Money Laundering Re-
gulations.
• The firm establishes the legit- • [deleted]
imacy of, and documents, the
source of wealth and source
of funds used in high risk busi-
ness relationships.
• Where money laundering risk • The firm does not distinguish
is very high, the firm obtains between the customer’s
independent internal or ex- source of funds and their
ternal intelligence reports. source of wealth.
• When assessing EDD, the firm • The firm relies entirely on a
complements staff knowledge single source of information
of the customer or beneficial for its enhanced due
owner with more objective in- diligence.
formation.
• The firm is able to provide • A firm relies on intra-group in-
evidence that relevant in- troductions where overseas
formation staff have about standards are not UK-equiva-
customers or beneficial lent or where due diligence
owners is documented and data is inaccessible because of
challenged during the CDD legal constraints.
process.
• A member of a group satisfies • The firm considers the credit
itself that it is appropriate to risk posed by the customer,
rely on due diligence per- but not the money laun-
formed by other entities in dering risk.
the same group.

terrorist financing

• The firm proactively follows • The firm disregards allega-
up gaps in, and updates, CDD tions of the customer’s or be-
of higher risk customers. neficial owner’s criminal activ-
ity from reputable sources re-
peated over a sustained
3 period of time.
• A correspondent bank seeks • The firm ignores adverse al-
to identify PEPs associated legations simply because cus-
with their respondents tomers hold a UK investment
visa.
• . A correspondent bank takes • A firm grants waivers from es-
a view on the strength of the tablishing source of funds,
AML regime in a respondent source of wealth or other due
bank’s home country, drawing diligence without good
on discussions with the re- reason.
spondent, overseas regulators
and other relevant bodies.
• A correspondent bank gathers • A correspondent bank con-
information about respondent ducts inadequate due dili-
banks’ procedures for sanc- gence on parents and affili-
tions screening, PEP identifica- ates of respondents.
tion and management, ac-
count monitoring and suspi-
cious activity reporting.
• A correspondent bank relies
exclusively on the Wolfsberg
Group AML questionnaire.
See regulations 33, 34, 34(1)(d), 35 and 35(5)(a) of the Money Laundering
Regulations.
Handling higher risk situations – enhanced ongoing monitoring

......................................................................................................
3.2.9 Firms must enhance their ongoing monitoring in higher risk situations.
•How does your firm monitor its high risk business relationships?
How does enhanced ongoing monitoring differ from ongoing
monitoring of other business relationships?
•Are reviews carried out independently of relationship managers?
•What information do you store in the files of high risk customers? Is

it useful? (Does it include risk assessment, verification evidence,
expected account activity, profile of customer or business relationship
and, where applicable, information about the ultimate beneficial
owner?)

• Key AML staff have a good un- • The firm treats annual reviews
derstanding of, and easy ac- as a tick-box exercise and cop-
cess to, information about a ies information from previous
bank’s highest risk customers. reviews without thought.
• New higher risk clients are • A firm in a group relies on
more closely monitored to con- others in the group to carry

terrorist financing

firm or amend expected ac- out monitoring without un-
count activity. derstanding what they did
and what they found.
• Alert thresholds on auto- • There is insufficient challenge
mated monitoring systems are to explanations from relation-
lower for PEPs and other ship managers and customers 3
higher risk customers. Excep- about unusual transactions.
tions are escalated to more
senior staff.
• Decisions across a group on • The firm focuses too much on
whether to keep or exit high reputational or business
risk relationships are consist- issues when deciding whether
ent and in line with the firm’s to exit relationships with a
overall risk appetite or as- high money laundering risk.
sessment.
• The firm makes no enquiries
when accounts are used for
purposes inconsistent with ex-
pected activity (e.g. personal
accounts being used for
business).
See regulation 33(1) of the Money Laundering Regulations.
Liaison with law enforcement

......................................................................................................
3.2.10 Firms must have a nominated officer. The nominated officer has a legal
obligation to report any knowledge or suspicions of money laundering to
the National Crime Agency (NCA) through a ‘Suspicious Activity Report’, also
known as a ‘SAR’. (See ■ FCG Annex 1 list of common terms for more
information about nominated officers and Suspicious Activity Reports.)
Staff must report their concerns and may do so to the firm’s nominated
officer, who must then consider whether a report to NCA is necessary based
on all the information at their disposal. Law enforcement agencies may seek
information from the firm about a customer, often through the use of
Production Orders (see ■ FCG Annex 1).
•Is it clear who is responsible for different types of liaison with the
authorities?
•How does the decision-making process related to SARs work in the

firm?
•Are procedures clear to staff?
•Do staff report suspicions to the nominated officer? If not, does the
nominated officer take steps to identify why reports are not being
made? How does the nominated officer deal with reports received?
•What evidence is there of the rationale underpinning decisions

about whether a SAR is justified?
•Is there a documented process for responding to Production Orders,

with clear timetables?

terrorist financing

• All staff understand proced- • The nominated officer passes
ures for escalating suspicions all internal reports to NCA
and follow them as required. without considering whether
they truly are suspicious.
These ‘defensive’ reports are
3 likely to be of little value.
• The firm’s SARs set out a clear • The nominated officer dis-
narrative of events and in- misses concerns escalated by
clude detail that law enforce- staff without reasons being
ment authorities can use (e.g. documented.
names, addresses, passport
numbers, phone numbers, em-
ail addresses).
• SARs set out the reasons for • The firm does not train staff
suspicion in plain English. to make internal reports,
They include some context on thereby exposing them to per-
any previous related SARs ra- sonal legal liability and in-
ther than just a cross- creasing the risk that suspi-
reference. cious activity goes un-
reported.
• There is a clear process for • The nominated officer turns a
documenting decisions. blind eye where a SAR might
harm the business. This could
be a criminal offence.
• A firm’s processes for dealing • A firm provides extraneous
with suspicions reported to it and irrelevant detail in re-
by third party administrators sponse to a Production Order.
are clear and effective.
See regulation 21 of the Money Laundering Regulations and s.330 POCA and
s.331 POCA and s.21A of the Terrorism Act 2000.
Record keeping and reliance on others

......................................................................................................
3.2.11 Firms must keep copies of any documents and information obtained to meet
CDD requirements and sufficient supporting records for transactions for five
years after the business relationship ends or five years after an occasional
transaction. However, records relating to transactions occurring in a business
relationship need not be kept beyond 10 years. Where a firm is relied on by
others to do due diligence checks, it must keep its records of those checks
for the same time period. Firms must keep records sufficient to demonstrate
to us that their CDD measures are appropriate in view of the risk of money
laundering and terrorist financing. Regulation 40(5) requires that any data
collected is deleted after these periods. Regulation 41 also sets out that
personal data collected under the Money Laundering Regulations should
only be processed for the purposes of preventing money laundering or
terrorist financing.
•Can your firm retrieve records promptly in response to a Production

Order?
•If the firm relies on others to carry out AML checks (see ‘Reliance’ in
■ FCG Annex 1), is this within the limits permitted by the Money
Laundering Regulations? How does it satisfy itself that it can rely on
these firms?

terrorist financing

• Records of customer ID and • The firm keeps customer re-
transaction data can be records and related information
trieved quickly and without in a way that restricts the
delay. firm’s access to these records
or their timely sharing with
authorities. 3
• Where the firm routinely re- • A firm cannot access CDD and
lies on checks done by a third related records for which it
party (for example, a fund pro- has relied on a third party.
vider relies on an IFA’s This breaches the Money
checks), it requests sample Laundering Regulations.
documents to test their re-
liability.
• Significant proportions of
CDD records cannot be re-
trieved in good time.
• The firm has not considered
whether a third party con-
sents to being relied upon.
• There are gaps in customer re-
cords, which cannot be
explained.
See regulations 28(16), 40 and 40(7) of the Money Laundering Regulations.
Countering the finance of terrorism

......................................................................................................
3.2.12 Firms have an important role to play in providing information that can assist
the authorities with counter-terrorism investigations. Many of the controls
firms have in place in relation to terrorism will overlap with their anti-money
laundering measures, covering, for example, risk assessment, customer due
diligence checks, transaction monitoring, escalation of suspicions and liaison
with the authorities.
•How have risks associated with terrorist finance been assessed? Did
assessments consider, for example, risks associated with the customer
base, geographical locations, product types, distribution channels,
etc.?
•Is it clear who is responsible for liaison with the authorities on

matters related to countering the finance of terrorism? (See
■ FCG 3.2.10G)

• The firm has and uses an ef- • Financial crime training does
fective process for liaison with not mention terrorist
the authorities. financing.
• A firm identifies sources of in- • A firm doing cross-border busi-
formation on terrorist finan- ness has not assessed terror-
cing risks: e.g. press reports, ism-related risks in countries
NCA alerts, Financial Action in which it has a presence or
Task Force typologies, court does business.
judgements, etc.

terrorist financing

• This information informs the • A firm has not considered if
design of transaction mon- its approach to customer due
itoring systems. diligence is able to capture in-
formation relevant to the
risks of terrorist finance.
3 • Suspicions raised within the
firm inform its own ty-
pologies.
Customer payments
......................................................................................................
3.2.13 This section applies to banks subject to ■ SYSC 6.3.
Interbank payments can be abused by criminals. International policymakers
have taken steps intended to increase the transparency of interbank
payments, allowing law enforcement agencies to more easily trace payments
related to, for example, drug trafficking or terrorism. The Funds Transfer
Regulation requires banks to collect and attach information about payers
and payees of wire transfers (such as names and addresses, or, if a payment
moves within the EU, a unique identifier like an account number) to
payment messages. Banks are also required to check this information is
present on inbound payments, and chase missing data. The FCA has a legal
responsibility to supervise banks’ compliance with these requirements.
Concerns have also been raised about interbank transfers known as “cover
payments” (see ■ FCG Annex 1) that can be abused to disguise funds’ origins.
To address these concerns, the SWIFT payment messaging system now allows
originator and beneficiary information to accompany these payments.
•How does your firm ensure that customer payment instructions

contain complete payer and payee information? (For example, does
it have appropriate procedures in place for checking payments it has
received?)
•Does the firm review its respondent banks’ track record on

providing payer data and using appropriate SWIFT messages for
cover payments?
•Does the firm use guidance issued by the ESAs? [Editor’s Note: see
http://www.eba.europa.eu/-/esas-provide-guidance-to-prevent-
terrorist-financing-and-money-laundering-in-electronic-fund-
transfers.].

• Following processing, • A bank fails to make use of the correct
banks conduct risk- SWIFT message type for cover
based sampling for in- payments.
ward payments to
identify inadequate
payer and payee in-
formation.

terrorist financing

• An intermediary bank • Compliance with regulations related to
chases up missing in- international customer payments has
formation. not been reviewed by the firm’s in-
ternal audit or compliance de-
partments.
The following practices breach the
3
Funds Transfer Regulation:
• A bank sends dummy International customer payment
messages to test the instructions sent by the payer’s
effectiveness of filters. bank lack meaningful payer and
payee information.
• A bank is aware of An intermediary bank strips
guidance from the Ba- payee or payer information from
sel Committee and the payment instructions before pass-
Wolfsberg Group on ing the payment on.
the use of cover pay-
ments, and has consid-
ered how this should
apply to its own op-
erations.
• The quality of payer The payee bank does not check
and payee information any incoming payments to see if
in payment instruc- they include complete and mean-
tions from respondent ingful data.
banks is taken into ac-
count in the bank’s on-
going review of corres-
pondent banking rela-
tionships.
• The firm actively en-
gages in peer discus-
sions about taking ap-
propriate action
against banks which
persistently fail to pro-
vide complete payer in-
formation.
Case study – poor AML controls

......................................................................................................
3.2.14 The FSA fined Alpari (UK) Ltd, an online provider of foreign exchange
services, £140,000 in May 2010 for poor anti-money laundering controls.
•Alpari failed to carry out satisfactory customer due diligence

procedures at the account opening stage and failed to monitor
accounts adequately.
•These failings were particularly serious given that the firm did
business over the internet and had customers from higher risk
jurisdictions.
•The firm failed to ensure that resources in its compliance and anti-
money laundering areas kept pace with the firm’s significant growth.
Alpari’s former money laundering reporting officer was also fined £14,000
for failing to fulfil his duties.

terrorist financing
See the FSA’s press release for more information: www.fsa.gov.uk/pages/

Library/Communication/PR/2010/077.shtml
Case studies – wire transfer failures

......................................................................................................
3.2.15 A UK bank that falls short of our expectations when using payment messages
3 does not just risk FCA enforcement action or prosecution; it can also face
criminal sanctions abroad.
In January 2009, Lloyds TSB agreed to pay US$350m to US authorities after
Lloyds offices in Britain and Dubai were discovered to be deliberately
removing customer names and addresses from US wire transfers connected
to countries or persons on US sanctions lists. The US Department of Justice
concluded that Lloyds TSB staff removed this information to ensure
payments would pass undetected through automatic filters at American
financial institutions. See its press release: www.usdoj.gov/opa/pr/2009/
January/09-crm-023.html.
In August 2010, Barclays Bank PLC agreed to pay US$298m to US authorities
after it was found to have implemented practices designed to evade US
sanctions for the benefit of sanctioned countries and persons, including by
stripping information from payment messages that would have alerted US
financial institutions about the true origins of the funds. The bank self-
reported the breaches, which took place over a decade-long period from as
early as the mid-1990s to September 2006. See the US Department of
Justice’s press release: www.justice.gov/opa/pr/2010/August/10-crm-933.html.
Case study – poor AML controls: PEPs and high risk customers
......................................................................................................
3.2.16 The FSA fined Coutts & Company £8.75 million in March 2012 for poor AML
systems and controls. Coutts failed to take reasonable care to establish and
maintain effective anti-money laundering systems and controls in relation to
their high risk customers, including in relation to customers who are
Politically Exposed Persons.
•Coutts failed adequately to assess the level of money laundering risk

posed by prospective and existing high risk customers.
•The firm failed to gather sufficient information to establish their

high risk customers’ source of funds and source of wealth, and to
scrutinise appropriately the transactions of PEPs and other high risk
accounts.
•The firm failed to ensure that resources in its compliance and anti-
money laundering areas kept pace with the firm’s significant growth.
These failings were serious, systemic and were allowed to persist for almost
three years. They were particularly serious because Coutts is a high profile
bank with a leading position in the private banking market, and because the
weaknesses resulted in an unacceptable risk of handling the proceeds of
crime.
This was the largest fine yet levied by the FSA for failures related to financial
crime.
See the FSA’s press release for more information: www.fsa.gov.uk/library/
communication/pr/2012/032.shtml

terrorist financing
Poor AML controls: risk assessment

......................................................................................................
3.2.17 The FSA fined Habib Bank AG Zurich £525,000, and its MLRO £17,500, in May
2012 for poor AML systems and controls.
Habib Bank AG Zurich failed adequately to assess the level of money
laundering risk associated with its business relationships. For example, the
firm excluded higher risk jurisdictions from its list of high risk jurisdictions on
the basis that it had group offices in them. 3
•Habib Bank AG Zurich failed to conduct timely and adequate
enhanced due diligence on higher risk customers by failing to gather
sufficient information and supporting evidence
•The firm also failed to carry out adequate reviews of its AML
systems and controls.
•The MLRO failed properly to ensure the establishment and

maintenance of adequate and effective anti- money laundering risk
management systems and controls.
See the FSA’s press release for more information: www.fsa.gov.uk/library/

communication/pr/2012/055.shtml

FCG 3 : Money laundering and Section 3.3 : Further guidance
terrorist financing
3.3.1 FCTR contains the following additional AML guidance:
• ■ FCTR 4 summarises the findings of, and consolidates good and

poor practice from, the FSA’s thematic review of Automated Anti-
Money Laundering Transaction Monitoring Systems
• ■ FCTR 5 summarises the findings of, and consolidates good and

poor practice from, the FSA’s Review of firms’ implementation of a
risk-based approach to anti-money laundering (AML)
• ■ FCTR 10 summarises the findings of the Small Firms Financial Crime

Review. It contains guidance directed at small firms on:
Regulatory/Legal obligations (■ FCTR 10.3.1G)
Account opening procedures (■ FCTR 10.3.2G)
Monitoring activity (■ FCTR 10.3.3G)
Suspicious activity reporting (■ FCTR 10.3.4G)
Records (■ FCTR 10.3.5G)
Responsibilities and risk assessments (■ FCTR 10.3.7G)
• ■ FCTR 12 summarises the findings of the FSA’s thematic review of

Banks’ management of high money laundering risk situations. It
includes guidance on:
High risk customers and PEPs – AML policies and procedures
(■ FCTR 12.3.2G)
High risk customers and PEPs – Risk assessment (■ FCTR 12.3.3G)
High risk customers and PEPs – Customer take-on (■ FCTR 12.3.4G)
High risk customers and PEPs – Enhanced monitoring of high risk
relationships (■ FCTR 12.3.5G)
Correspondent banking – Risk assessment of respondent banks
(■ FCTR 12.3.6G)
Correspondent banking – Customer take-on (■ FCTR 12.3.7G)
Correspondent banking – Ongoing monitoring of respondent
accounts (■ FCTR 12.3.8G)
Wire transfers – Paying banks (■ FCTR 12.3.9G)
Wire transfers – Intermediary banks (■ FCTR 12.3.10G)
Wire transfers – Beneficiary banks (■ FCTR 12.3.11G)

FCG 3 : Money laundering and Section 3.3 : Further guidance
terrorist financing
Wire transfers – Implementation of SWIFT MT202COV

(■ FCTR 12.3.12G)
3.3.2 FCTR also summarises the findings of the following thematic reviews:
• ■ FCTR 3: Review of private banks’ anti-money laundering systems

and controls 3
• ■ FCTR 7: Review of financial crime controls in offshore centres
• ■ FCTR 15: Banks’ control of financial crime risks in trade finance

(2013)

FCG 3 : Money laundering and Section 3.4 : Sources of further information
terrorist financing
3.4.1 To find out more on anti-money laundering, see:
• The Money Laundering Regulations

The NCA’s website, which contains information on how to report
suspicions of money laundering:
www.nationalcrimeagency.gov.uk
•The UK National risk assessment of money laundering and
terrorist financing 2017- https://www.gov.uk/government/
publications/national-risk-assessment-of-money-laundering-and-
terrorist-financing-2017
•The JMLSG’s guidance on measures firms can take to meet their
anti-money laundering obligations, which is available from its
website:www.jmlsg.org.uk .
3.4.2 To find out more on countering terrorist finance, see:
•Material relevant to terrorist financing that can be found

throughout the JMLSG guidance: www.jmlsg.org.uk
•The European Supervisory Authorities (ESAs) have published risk

factors guidelines under Articles 17 and 18(4) of Directive (EU) 2015/
849- https://www.eba.europa.eu/-/esas-publish-aml-cft-guidelines
•FATF’s work on terrorist financing: http://www.fatf-gafi.org/

publications/fatfgeneral/documents/terroristfinancing.html
3.4.3 To find out more on customer payments, see:
•Chapter 1 of Part III (Transparency in electronic payments (Wire

transfers)) of the JMLSG’s guidance, which will be banks’ chief source
of guidance on this topic: www.jmlsg.org.uk
•The Basel Committee’s May 2009 paper on due diligence for cover
payment messages: www.bis.org/publ/bcbs154.pdf
•The Wolfsberg Group’s statement on payment standards: https://

www.wolfsberg-principles.com/sites/default/files/wb/pdfs/wolfsberg-
standards/1.%20Wolfsberg-Payment-Transparency-Standards-October-
2017.pdf

terrorist financing
•Joint Guidelines to prevent terrorist financing and money

laundering in electronic fund transfers- http://www.eba.europa.eu/-/
esas-provide-guidance-to-prevent-terrorist-financing-and-money-
laundering-in-electronic-fund-transfers
•The Funds Transfer Regulation (EU Regulation 847/2015 on

information on the payer accompanying transfers of funds): http://
data.europa.eu/eli/reg/2015/847/oj 3
3.4.4 To find out more on correspondent banking relationships see:
•FATF Guidance on correspondent banking services (October 2016)-

http://www.fatf-gafi.org/media/fatf/documents/reports/Guidance-
Correspondent-Banking-Services.pdf
•Basel Committee on Banking Supervision guidance “Sound

management of risks related to money laundering and financing of
terrorism: revisions” (updated July 2017) https://www.bis.org/bcbs/
publ/d405.htm

terrorist financing

Fraud
Chapter 4
Fraud

FCG 4 : Fraud Section 4.1 : Introduction
4.1 Introduction
financial crime rules in ■ SYSC 3.2.6R or ■ SYSC 6.1.1R and to e-money
institutions and payment institutions within our supervisory scope, with the
following exceptions:
1 • ■ FCG 4.2.2 applies only to mortgage lenders within our

supervisory scope;
2 • ■ FCG 4.2.3 applies to mortgage intermediaries only; and
3 • ■ FCG 4.2.5 applies to retail deposit takers only.
4.1.2 All firms must take steps to defend themselves against financial crime, but a
variety of approaches is possible. This chapter provides guidance on themes
that should form the basis of managing financial crime risk. The general
topics outlined here are also relevant in the context of the specific financial
crime risks detailed in subsequent chapters.
4.1.3 The contents of FCG’s fraud chapter reflect the FSA’s previous thematic work
in this area. This means it does not specifically address such topics as plastic
card, cheque or insurance fraud. This is not because the FCA regards fraud
prevention as unimportant. Rather it reflects our view that our limited
resources are better directed elsewhere, given the strong incentive firms
should have to protect themselves from fraud; and the number of other
bodies active in fraud prevention. Links to some of these other bodies are
provided in ■ FCG 4.4.

FCG 4 : Fraud Section 4.2 : Themes
4.2 Themes
Preventing losses from fraud

......................................................................................................
4.2.1 All firms will wish to protect themselves and their customers from fraud.
Management oversight, risk assessment and fraud data will aid this, as will
tailored controls on the ground. We expect a firm to consider the full
implications of the breadth of fraud risks it faces, which may have wider
effects on its reputation, its customers and the markets in which it operates.
The general guidance in ■ FCG 2 also applies in relation to fraud.
•What information do senior management receive about fraud

trends? Are fraud losses accounted for clearly and separately to other
losses?
•Does the firm have a clear picture of what parts of the business are
targeted by fraudsters? Which products, services and distribution
channels are vulnerable?
•How does the firm respond when reported fraud increases?
•Does the firm’s investment in anti-fraud systems reflect fraud

trends?

• The firm takes a view on what • Senior management appear
areas of the firm are most vul- unaware of fraud incidents
nerable to fraudsters, and and trends. No management
tailors defences accordingly. information is produced.
• Controls adapt to new fraud • Fraud losses are buried in bad
threats. debts or other losses.
• The firm engages with relev- • There is no clear and consist-
ant cross-industry efforts to ent definition of fraud across
combat fraud (e.g. data-shar- the business, so reporting is
ing initiatives like CIFAS and haphazard.
the Insurance Fraud Bureau,
collaboration to strengthen
payment systems, etc.) in rela-
tion to both internal and ex-
ternal fraud.
• Fraud response plans and in- • Fraud risks are not explored
vestigation procedures set out when new products and deliv-
how the firm will respond to ery channels are developed.
incidents of fraud.


• Lessons are learnt from incid- • Staff lack awareness of what
ents of fraud. constitutes fraudulent behavi-
our (e.g. for a salesman to mis-
report a customer’s salary to
secure a loan would be
fraud).
• Anti-fraud good practice is • Sales incentives act to encour-
shared widely within the firm. age staff or management to
4 turn a blind eye to potential
fraud.
• To guard against insider • Banks fail to implement the
fraud, staff in high risk posi- requirements of the Payment
tions (e.g. finance depart- Services Regulations and
ment, trading floor) are sub- Banking Conduct of Business
ject to enhanced vetting and rules, leaving customers out
closer scrutiny. ‘Four eyes’ pro- of pocket after fraudulent
cedures (see FCG Annex 1 for transactions are made.
common terms) are in place.
• Enhanced due diligence is per- • Remuneration structures may
formed on higher risk cus- incentivise behaviour that in-
tomers (e.g. commercial cus- creases the risk of mortgage
tomers with limited financial fraud.
history. See ‘long firm fraud’
in FCG Annex 1).
Mortgage fraud – lenders

......................................................................................................
4.2.2 This section applies to mortgage lenders within the supervisory scope of the
appropriate regulator.
•Are systems and controls to detect and prevent mortgage fraud

coordinated across the firm, with resources allocated on the basis of
an assessment of where they can be used to best effect?
•How does your firm contain the fraud risks posed by corrupt
conveyancers, brokers and valuers?
•How and when does your firm engage with cross-industry

information-sharing exercises?

• A firm’s underwriting process • A lender fails to report relev-
can identify applications that ant information to the FCA’s
may present a higher risk of Information from Lenders
mortgage fraud. (IFL) scheme as per FCA guid-
ance on IFL referrals.
• Membership of a lender’s • A lender lacks a clear defini-
panels of brokers, conveyan- tion of mortgage fraud, un-
cers and valuers is subject to dermining data collection and
ongoing review. Dormant trend analysis.
third parties are identified.


• A lender reviews existing • A lender’s panels of conveyan-
mortgage books to identify cers, brokers and valuers are
and assess mortgage fraud in- too large to be manageable.
dicators.
• A lender verifies that funds • The lender does no work to
are being dispersed in line identify dormant parties.
with instructions before it re-
leases them.
4
• A lender promptly discharges • A lender relies solely on the
mortgages that have been re- Financial Services Register
deemed and checks whether when vetting brokers.
conveyancers register charges
with the Land Registry in
good time.
• Underwriters’ demanding
work targets undermine ef-
forts to contain mortgage
fraud.
Mortgage fraud – intermediaries

......................................................................................................
4.2.3 This section applies to mortgage intermediaries.
•does your firm satisfy itself that it is able to recognise mortgage

fraud?
•When processing applications, does your firm consider whether the

information the applicant provides is consistent? (For example, is
declared income believable compared with stated employment? Is
the value of the requested mortgage comparable with what your
firm knows about the location of the property to be purchased?)
•What due diligence does your firm undertake on introducers?

• Asking to see original docu- • Failing to undertake due dili-
mentation whether or not this gence on introducers.
is required by lenders.
• Using the FCA’s Information • Accepting all applicant in-
from Brokers scheme to re- formation at face value.
port intermediaries it suspects
of involvement in mortgage
fraud.
• Treating due diligence as the
lender’s responsibility.
Enforcement action against mortgage brokers

......................................................................................................
4.2.4 Since the FSA began regulating mortgage brokers in October 2004, the FSA
have banned over 100 mortgage brokers. Breaches have included:

•deliberately submitting to lenders applications containing false or

misleading information; and
•failing to have adequate systems and controls in place to deal with

the risk of mortgage fraud.
The FSA have referred numerous cases to law enforcement, a number of

which have resulted in criminal convictions.
4 Investment fraud
......................................................................................................
4.2.5 UK consumers are targeted by share-sale frauds and other scams including
land-banking frauds, unauthorised collective investment schemes and Ponzi
schemes. Customers of UK deposit-takers may fall victim to these frauds, or
be complicit in them. We expect these risks to be considered as part of
deposit-takers’ risk assessments, and for this to inform management’s
decisions about the allocation of resources to a) the detection of fraudsters
among the customer base and b) the protection of potential victims.
•Have the risks of investment fraud (and other frauds where

customers and third parties suffer losses) been considered by the
firm?
•Are resources allocated to mitigating these risks as the result of

purposive decisions by management?
•Are the firm’s anti-money laundering controls able to identify

customers who are complicit in investment fraud?

• A bank regularly assesses the • A bank has performed no risk
risk to itself and its customers assessment that considers the
of losses from fraud, including risk to customers from invest-
investment fraud, in accord- ment fraud.
ance with their established
risk management framework.
The risk assessment does not
only cover situations where
the bank could cover losses,
but also where customers
could lose and not be reim-
bursed by the bank. Resource
allocation and mitigation
measures are informed by this
assessment.
• A bank contacts customers if • A bank fails to use actionable,
it suspects a payment is being credible information it has
made to an investment about known or suspected
fraudster. perpetrators of investment
fraud in its financial crime pre-
vention systems.
• A bank has transaction mon- • Ongoing monitoring of com-
itoring rules designed to de- mercial accounts is allocated
tect specific types of invest- to customer-facing staff incen-


ment fraud. Investment fraud tivised to bring in or retain
subject matter experts help business.
set these rules.
• A bank allocates excessive
numbers of commercial ac-
counts to a staff member to
monitor.

FCG 4 : Fraud Section 4.3 : Further guidance
4.3.1 FCTR contains the following additional material on fraud:
•■ FCTR 10 summarises the findings of the Small Firms Financial Crime

Review. It contains guidance directed at small firms on:
Monitoring activity (■ FCTR 10.3.3G)
General fraud (■ FCTR 10.3.13G)
Insurance fraud (■ FCTR 10.3.14G)
Investment fraud (■ FCTR 10.3.15G)
Mortgage fraud (■ FCTR 10.3.16G)
Staff/Internal fraud (■ FCTR 10.3.17G)
• ■ FCTR 11 summarises the findings of the FSA’s thematic review

Mortgage fraud against lenders. It contains guidance on:
Governance, culture and information sharing (■ FCTR 11.3.1G)
Applications processing and underwriting (■ FCTR 11.3.2G)
Mortgage fraud prevention, investigations, and recoveries
(■ FCTR 11.3.3G)
Managing relationships with conveyancers, brokers and valuers
(■ FCTR 11.3.4G)
Compliance and internal audit (■ FCTR 11.3.5G)
Staff recruitment and vetting (■ FCTR 11.3.6G)
Remuneration structures (■ FCTR 11.3.7G)
Staff training and awareness (■ FCTR 11.3.8G)

Banks’ defences against investment fraud. It contains guidance
directed at deposit-takers with retail customers on:
Governance (■ FCTR 14.3.2G)
Risk assessment (■ FCTR 14.3.3G)
Detecting perpetrators (■ FCTR 14.3.4G)
Automated monitoring (■ FCTR 14.3.5G)
Protecting victims (■ FCTR 14.3.6G)

FCG 4 : Fraud Section 4.3 : Further guidance
Management reporting and escalation of suspicions

(■ FCTR 14.3.7G)
Staff awareness (■ FCTR 14.3.8G)
Use of industry intelligence (■ FCTR 14.3.9G)
4.3.2 ■ FCTR 2 summarises the FSA’s thematic review Firms’ high-level management
of fraud risk.

FCG 4 : Fraud Section 4.4 : Sources of further information
4.4.1 To find out more about what FCA is doing about fraud, see:
•Details of the FCA’s Information from Lenders scheme: https://

www.fca.org.uk/firms/fraud/report-mortgage-fraud-lenders
•Details of the FCA’s Information from Brokers scheme: https://

www.fca.org.uk/firms/fraud/report-mortgage-fraud-advisers
4.4.2 The list of other bodies engaged in counter-fraud activities is long, but more
information is available from:
•Action Fraud, which is the UK’s national fraud reporting centre:

www.actionfraud.org.uk
•Fighting Fraud Action (FFA-UK) is responsible for leading the

collective fight against financial fraud on behalf of the UK payments
industry, https://www.financialfraudaction.org.uk/.
•The City of London Police, which has ‘lead authority’ status in the
UK for the investigation of economic crime, including fraud https://
www.cityoflondon.police.uk/advice-and-support/fraud-and-economic-
crime/Pages/default.aspx
•The Fraud Advisory Panel, which acts as an independent voice and

supporter of the counter fraud community:
www.fraudadvisorypanel.org/

Data security
Chapter 5
Data security

FCG 5 : Data security Section 5.1 : Introduction
5.1 Introduction
5 5.1.1 Who should read this chapter? This chapter applies to all firms subject to the
institutions and payment institutions within our supervisory scope.
5.1.2 Customers routinely entrust financial firms with important personal data; if
this falls into criminal hands, fraudsters can attempt to undertake financial
transactions in the customer’s name. Firms must take special care of their
customers’ personal data, and comply with the data protection principles set
out in Schedule 1 to the Data Protection Act 1998. The Information
Commissioner’s Office provides guidance on the Data Protection Act and the
responsibilities it imposes on data controllers and processors. See section 4
and schedule 1 Data Protection Act 1998.

FCG 5 : Data security Section 5.2 : Themes
5.2 Themes
Governance
......................................................................................................
5
applies to data security.
Firms should be alert to the financial crime risks associated with holding
customer data and have written data security policies and procedures which
are proportionate, accurate, up to date and relevant to the day-to-day work
of staff.
•How is responsibility for data security apportioned?
•Has the firm ever lost customer data? If so, what remedial actions
did it take? Did it contact customers? Did it review its systems?
•How does the firm monitor that suppliers of outsourced services

treat customer data appropriately?
•Are data security standards set in outsourcing agreements, with

suppliers’ performance subject to monitoring?
• There is a clear figurehead • The firm does not contact
championing the issue of customers after their data
data security. is lost or compromised.
• Work, including by in- • Data security is treated as
ternal audit and compli- an IT or privacy issue, with-
ance, is coordinated across out also recognising the
the firm, with compliance, financial crime risk.
audit, HR, security and IT
all playing a role.
• A firm’s plans to respond • A ‘blame culture’ discour-
to data loss incidents are ages staff from reporting
clear and include notifying data losses.
customers affected by data
loss and offering advice to
those customers about pro-
tective measures.
• A firm monitors accounts • The firm is unsure how its
following a data loss to third parties, such as sup-
spot unusual transactions. pliers, protect customer
data.
• The firm looks at out-
sourcers’ data security
practices before doing


business, and monitors
compliance.
Five fallacies of data loss and identity fraud

......................................................................................................
5.2.2 1. ‘The customer data we hold is too limited or too piecemeal to be
of value to fraudsters.’ This is misconceived: skilled fraudsters can
supplement a small core of data by accessing several different public
sources and use impersonation to encourage victims to reveal more.
Ultimately, they build up enough information to pose successfully as
their victim.
5
2. ‘Only individuals with a high net worth are attractive targets for
identity fraudsters.’ In fact, people of all ages, in all occupations and
in all income groups are vulnerable if their data is lost.
3. ‘Only large firms with millions of customers are likely to be

targeted.’ Wrong. Even a small firm’s customer database might be
sold and re-sold for a substantial sum.
4. ‘The threat to data security is external.’ This is not always the case.
Insiders have more opportunity to steal customer data and may do so
either to commit fraud themselves, or to pass it on to organised
criminals.
5. ‘No customer has ever notified us that their identity has been
stolen, so our firm must be impervious to data breaches.’ The truth
may be closer to the opposite: firms that successfully detect data loss
do so because they have effective risk-management systems. Firms
with weak controls or monitoring are likely to be oblivious to any
loss. Furthermore, when fraud does occur, a victim rarely has the
means to identify where their data was lost because data is held in
so many places.
Controls
......................................................................................................
5.2.3 We expect firms to put in place systems and controls to minimise the risk
that their operation and information assets might be exploited by thieves
and fraudsters. Internal procedures such as IT controls and physical security
measures should be designed to protect against unauthorised access to
customer data.
Firms should note that we support the Information Commissioner’s position
that it is not appropriate for customer data to be taken off-site on laptops or
other portable devices which are not encrypted.
•Is your firm’s customer data taken off-site, whether by staff (sales
people, those working from home) or third parties (suppliers,
consultants, IT contractors etc)?
•If so, what levels of security exist? (For example, does the firm
require automatic encryption of laptops that leave the premises, or
measures to ensure no sensitive data is taken off-site? If customer

data is transferred electronically, does the firm use secure internet

links?)
•How does the firm keep track of its digital assets?
•How does it dispose of documents, computers, and imaging

equipment such as photocopiers that retain records of copies? Are
accredited suppliers used to, for example, destroy documents and
hard disks? How does the firm satisfy itself that data is disposed of
competently?
•How are access to the premises and sensitive areas of the business
controlled?
5
•When are staff access rights reviewed? (It is good practice to review
them at least on recruitment, when staff change roles, and when
they leave the firm.)
•Is there enhanced vetting of staff with access to lots of data?
•How are staff made aware of data security risks?

• Access to sensitive areas (call • Staff and third party suppliers
centres, server rooms, filing can access data they do not
rooms) is restricted. need for their role.
• The firm has individual user • Files are not locked away.
accounts for all systems con-
taining customer data.
• The firm conducts risk-based, • Password standards are not ro-
proactive monitoring to en- bust and individuals share
sure employees’ access to cus- passwords.
tomer data is for a genuine
business reason.
• IT equipment is disposed of re- • The firm fails to monitor su-
sponsibly, e.g. by using a con- perusers or other staff with ac-
tractor accredited by the Brit- cess to large amounts of cus-
ish Security Industry As- tomer data.
sociation.
• Customer data in electronic • Computers are disposed of or
form (e.g. on USB sticks, CDs, transferred to new users with-
hard disks etc) is always out data being wiped.
encrypted when taken off-
site.
• The firm understands what • Staff working remotely do
checks are done by employ- not dispose of customer data
ment agencies it uses. securely.
• Staff handling large volumes
of data also have access to
internet email.
• Managers assume staff under-
stand data security risks and
provide no training.
• Unencrypted electronic data is
distributed by post or courier.

Case study – protecting customers’ accounts from criminals

......................................................................................................
5.2.4 In December 2007, the FSA fined Norwich Union Life £1.26m for failings in its
anti-fraud systems and controls.
Firms should note that we support the Information Commissioner’s position
that it is not appropriate for customer data to be taken off-site on laptops or
other portable devices which are not encrypted.
•Callers to Norwich Union Life call centres were able to satisfy the
firm’s caller identification procedures by providing public information
to impersonate customers.
•Callers obtained access to customer information, including policy

5 numbers and bank details and, using this information, were able to
request amendments to Norwich Union Life records, including
changing the addresses and bank account details recorded for those
customers.
•The frauds were committed through a series of calls, often carried

out in quick succession.
•Callers subsequently requested the surrender of customers’ policies
. •Over the course of 2006, 74 policies totalling £3.3m were

fraudulently surrendered.
•The firm failed to address issues highlighted by the frauds in an

appropriate and timely manner even after they were identified by its
own compliance department.
•Norwich Union Life’s procedures were insufficiently clear as to who

was responsible for the management of its response to these actual
and attempted frauds. As a result, the firm did not give appropriate
priority to the financial crime risks when considering those risks
against competing priorities such as customer service.
For more, see the FSA’s press release: www.fsa.gov.uk/pages/Library/

Communication/PR/2007/130.shtml
Case study – data security failings

......................................................................................................
5.2.5 In August 2010, the FSA fined Zurich Insurance plc, UK branch £2,275,000
following the loss of 46,000 policyholders’ personal details.
•The firm failed to take reasonable care to ensure that it had

effective systems and controls to manage the risks relating to the
security of confidential customer information arising out of its
outsourcing arrangement with another Zurich company in South
Africa.
•It failed to carry out adequate due diligence on the data security
procedures used by the South African company and its
subcontractors.
•It relied on group policies without considering whether this was

sufficient and did not determine for itself whether appropriate data

security policies had been adequately implemented by the South

African company.
•The firm failed to put in place proper reporting lines. While various
members of senior management had responsibility for data security
issues, there was no single data security manager with overall
responsibility.
•The firm did not discover that the South African entity had lost an
unencrypted back-up tape until a year after it happened.
The FSA’s press release has more details: www.fsa.gov.uk/pages/Library/

Communication/PR/2010/134.shtml
5

FCG 5 : Data security Section 5.3 : Further guidance
5 5.3.1 FCTR contains the following additional material on data security:
• ■ FCTR 6 summarises the findings of the FSA’s thematic review of

Data security in Financial Services and includes guidance on:
Governance (■ FCTR 6.3.1G)
Training and awareness (■ FCTR 6.3.2G)
Controls – access rights (■ FCTR 6.3.4G)
Controls – passwords and user accounts (■ FCTR 6.3.5G)
Controls – monitoring access to customer data (■ FCTR 6.3.6G)
Controls – data back-up (■ FCTR 6.3.7G)
Controls – access to the internet and email (■ FCTR 6.3.8G)
Controls – key-logging devices (■ FCTR 6.3.9G)
Controls – laptop (■ FCTR 6.3.10G)
Controls – portable media including USB devices and CDs
(■ FCTR 6.3.11G)
Physical security (■ FCTR 6.3.12G)
Disposal of customer data (■ FCTR 6.3.13G)
Managing third party suppliers (■ FCTR 6.3.14G)
Internal audit and compliance monitoring (■ FCTR 6.3.15G)
• ■ FCTR 10 summarises the findings of the Small Firms Financial Crime

Review, and contains guidance directed at small firms on:
Records (■ FCTR 10.3.5G)
Access to systems (■ FCTR 10.3.8G)
Outsourcing (■ FCTR 10.3.9G)
Physical controls (■ FCTR 10.3.10G)
Data disposal (■ FCTR 10.3.11G)
Data compromise incidents (■ FCTR 10.3.12G)

FCG 5 : Data security Section 5.4 : Sources of further information
5.4.1 To find out more, see 5

•the website of the Information Commissioner’s Office:
www.ico.org.uk.

FCG 5 : Data security Section 5.4 : Sources of further information

Bribery and corruption
Chapter 6
Bribery and corruption

FCG 6 : Bribery and corruption Section 6.1 : Introduction
6.1 Introduction
institutions and payment institutions within our supervisory scope.
6
6.1.2 Bribery, whether committed in the UK or abroad, is a criminal offence under
the Bribery Act 2010, which consolidates and replaces previous anti-bribery
and corruption legislation. The Act introduces a new offence for commercial
organisations of failing to prevent bribery. It is a defence for firms charged
with this offence to show that they had adequate bribery-prevention
procedures in place. The Ministry of Justice has published guidance on
adequate anti-bribery procedures.
6.1.3 The FCA does not enforce or give guidance on the Bribery Act. But:
•firms which are subject to our rules ■ SYSC 3.2.6R and ■ SYSC 6.1.1R
are under a separate, regulatory obligation to establish and maintain
effective systems and controls to mitigate financial crime risk; and
•e-money institutions and payment institutions must satisfy us that

they have robust governance, effective risk procedures and adequate
internal control mechanisms. See E-Money Reg 6 and Payment Service
Reg 6.
6.1.4 Financial crime risk includes the risk of corruption as well as bribery, and so is
wider than the Bribery Act’s scope. And we may take action against a firm
with deficient anti-bribery and corruption systems and controls regardless of
whether or not bribery or corruption has taken place. Principle 1 of our
Principles for Business also requires authorised firms to conduct their business
with integrity. See ■ PRIN 2.1.1R: Principle 1.
6.1.5 So while we do not prosecute breaches of the Bribery Act, we have a strong
interest in the anti-corruption systems and controls of firms we supervise,
which is distinct from the Bribery Act’s provisions. Firms should take this into
account when considering the adequacy of their anti-bribery and corruption
systems and controls.

FCG 6 : Bribery and corruption Section 6.2 : Themes
6.2 Themes
Governance
......................................................................................................
6.2.1 A firm’s senior management are responsible for ensuring that the firm
conducts its business with integrity and tackles the risk that the firm, or 6
anyone acting on its behalf, engages in bribery and corruption. A firm’s
senior management should therefore be kept up-to-date with, and stay fully
abreast of, bribery and corruption issues.
•What role do senior management play in the firm’s anti-bribery and

corruption effort? Do they approve and periodically review the
strategies and policies for managing, monitoring and mitigating this
risk? What steps do they take to ensure staff are aware of their
interest in this area?
•Can your firm’s board and senior management demonstrate a good

understanding of the bribery and corruption risks faced by the firm,
the materiality to its business and how to apply a risk-based
approach to anti-bribery and corruption?
•How are integrity and compliance with relevant anti-corruption

legislation considered when discussing business opportunities?
•What information do senior management receive in relation to

bribery and corruption, and how frequently? Is it sufficient for senior
management effectively to fulfil their functions in relation to anti-
bribery and corruption?

• The firm is committed to carry- • There is a lack of awareness
ing out business fairly, hon- of, or engagement in, anti-
estly and openly. bribery and corruption at
senior management or board
level.
• Senior management lead by • An ‘ask no questions’ culture
example in complying with sees management turn a blind
the firm’s anti-corruption pol- eye to how new business is
icies and procedures. generated.
• Responsibility for anti-bribery • Little or no management in-
and corruption systems and formation is sent to the board
controls is clearly documented about existing and emerging
and apportioned to a single bribery and corruption risks
senior manager or a commit- faced by the business, includ-
tee with appropriate terms of ing: higher risk third-party re-


reference and senior manage- lationships or payments; the
ment membership who re- systems and controls to mitig-
ports ultimately to the board. ate those risks; the effect-
iveness of these systems and
controls; and legal and regu-
latory developments.
• Anti-bribery systems and con-
trols are subject to audit.
• Management information sub-
mitted to the board ensures
they are adequately informed
of internal and external devel-
opments relevant to bribery
and corruption and respond
6 to these swiftly and ef-
fectively.
Risk assessment
......................................................................................................
also applies to bribery and corruption.
We expect firms to identify, assess and regularly review and update their
bribery and corruption risks. Corruption risk is the risk of a firm, or anyone
acting on the firm’s behalf, engaging in corruption.
•How do you define bribery and corruption? Does your definition

cover all forms of bribery and corrupt behaviour falling within the
definition of ‘financial crime’ referred to in ■ SYSC 3.2.6R and
■ SYSC 6.1.1R or is it limited to ‘bribery’ as that term is defined in the
Bribery Act 2010?
•Where is your firm exposed to bribery and corruption risk? (Have

you considered risk associated with the products and services you
offer, the customers and jurisdictions with which you do business,
your exposure to public officials and public office holders and your
own business practices, for example your approach to providing
corporate hospitality, charitable and political donations and your use
of third parties?)
•Has the risk of staff or third parties acting on the firm’s behalf
offering or receiving bribes or other corrupt advantage been
assessed across the business?
•Who is responsible for carrying out a bribery and corruption risk

assessment and keeping it up to date? Do they have sufficient levels
of expertise and seniority?

• Corruption risks are assessed • Departments responsible for
in all jurisdictions where the identifying and assessing
firm operates and across all bribery and corruption risk
business channels. are ill equipped to do so.


• The firm considers factors that • For fear of harming the busi-
might lead business units to ness, the firm classifies as low
downplay the level of bribery risk a jurisdiction generally as-
and corruption risk to which sociated with high risk.
they are exposed, such as lack
of expertise or awareness, or
potential conflicts of interest.
• The risk assessment is only
based on generic, external
sources.

......................................................................................................
6.2.3 The guidance in ■ FCG 2.2.5G on policies and procedures in relation to 6
financial crime and in ■ FCG 2.2.6G on staff recruitment, vetting, training,
awareness and remuneration also applies to bribery and corruption.
Firms’ policies and procedures to reduce their financial crime risk must cover
corruption and bribery.
•Do your anti-bribery and corruption policies adequately address all

areas of bribery and corruption risk to which your firm is exposed,
either in a stand-alone document or as part of separate policies? (for
example, do your policies and procedures cover: expected standards
of behaviour; escalation processes; conflicts of interest; expenses,
gifts and hospitality; the use of third parties to win business;
whistleblowing; monitoring and review mechanisms; and disciplinary
sanctions for breaches?)
•Have you considered the extent to which corporate hospitality

might influence, or be perceived to influence, a business decision? Do
you impose and enforce limits that are appropriate to your business
and proportionate to the bribery and corruption risk associated with
your business relationships?
•How do you satisfy yourself that your anti-corruption policies and

procedures are applied effectively?
•How do your firm’s policies and procedures help it to identify

whether someone acting on behalf of the firm is corrupt?
•How does your firm react to suspicions or allegations of bribery or

corruption involving people with whom the firm is connected?

• The firm clearly sets out beha- • The firm does not assess the
viour expected of those acting extent to which staff comply
on its behalf. with its anti-corruption pol-
icies and procedures.
• There are unambiguous con- • The firm’s anti-corruption pol-
sequences for breaches of the icies and procedures are out
firm’s anti-corruption policy. of date.


• Risk-based, appropriate addi- • A firm relies on passages in
tional monitoring and due dili- the staff code of conduct that
gence are undertaken for juris- prohibit improper payments,
dictions, sectors and business but has no other controls.
relationships identified as
higher risk.
• Staff responsible for imple- • The firm does not record cor-
menting and monitoring anti- porate hospitality given or
bribery and corruption pol- received.
icies and procedures have ad-
equate levels of anti-corrup-
tion expertise.
• Where appropriate, the firm • The firm does not respond to
refers to existing sources of in- external events that may high-
6 formation, such as expense re- light weaknesses in its anti-
gisters, policy queries and corruption systems and
whistleblowing and com- controls.
plaints hotlines, to monitor
the effectiveness of its anti-
bribery and corruption pol-
icies and procedures.
• Political and charitable dona- • The firm fails to consider
tions are subject to appropri- whether clients or charities
ate due diligence and are ap- who stand to benefit from cor-
proved at an appropriate man- porate hospitality or dona-
agement level, with compli- tions have links to relevant po-
ance input. litical or administrative de-
cision-makers.
• Firms who do not provide • The firm fails to maintain re-
staff with access to cords of incidents and
whistleblowing hotlines have complaints.
processes in place to allow
staff to raise concerns in con-
fidence or, where possible, an-
onymously, with adequate
levels of protection.
Dealing with third parties

......................................................................................................
6.2.4 We expect firms to take adequate and risk-sensitive measures to address the
risk that a third party acting on behalf of the firm may engage in corruption.
•Do your firm’s policies and procedures clearly define ‘third party’?
•Do you know your third party?
•What is your firm’s policy on selecting third parties? How do you

check whether it is being followed?
•To what extent are third-party relationships monitored and

reviewed? Is the frequency and depth of the monitoring and review
commensurate to the risk associated with the relationship?

•Is the extent of due diligence on third parties determined on a risk-

sensitive basis? Do you seek to identify any bribery and corruption
issues as part of your due diligence work, e.g. negative allegations
against the third party or any political connections? Is due diligence
applied consistently when establishing and reviewing third-party
relationships?
•Is the risk assessment and due diligence information kept up to

date? How?
•Do you have effective systems and controls in place to ensure

payments to third parties are in line with what is both expected and
approved?

• Where a firm uses third par- • A firm using intermediaries 6
ties to generate business, fails to satisfy itself that those
these relationships are subject businesses have adequate con-
to thorough due diligence trols to detect and prevent
and management oversight. where staff have used bribery
to generate business.
• The firm reviews in sufficient • The firm fails to establish and
detail its relationships with record an adequate commer-
third parties on a regular ba- cial rationale to support its
sis to confirm that it is still payments to overseas third
necessary and appropriate to parties. For example, why it is
continue with the rela- necessary to use a third party
tionship. to win business and what ser-
vices would the third party
provide to the firm?
• Third parties are paid directly • The firm is unable to produce
for their work. a list of approved third par-
ties, associated due diligence
and details of payments made
to them.
• The firm includes specific anti- • The firm does not discourage
bribery and corruption clauses the giving or receipt of cash
in contracts with third parties. gifts.
• The firm provides anti-bribery • There is no checking of com-
and corruption training to pliance’s operational role in
third parties where ap- approving new third-party re-
propriate. lationships and accounts.
• The firm reviews and mon- • A firm assumes that long-
itors payments to third par- standing third-party relation-
ties. It records the purpose of ships present no bribery or
third-party payments. corruption risk.
• There are higher or extra • A firm relies exclusively on in-
levels of due diligence and ap- formal means to assess the


proval for high risk third- bribery and corruption risks as-
party relationships. sociated with third parties,
such as staff’s personal know-
ledge of the relationship with
the overseas third parties.
• There is appropriate scrutiny
of and approval for relation-
ships with third parties that in-
troduce business to the firm.
• The firm’s compliance func-
tion has oversight of all third-
party relationships and mon-
itors this list to identify risk in-
dicators, for example a third
6 party’s political or public ser-
vice connections.
Case study – corruption risk

......................................................................................................
6.2.5 In January 2009, Aon Limited, an insurance intermediary based in the UK,
was fined £5.25m for failures in its anti-bribery systems and controls.
The firm made suspicious payments totalling $7m to overseas firms and
individuals who helped generate business in higher risk jurisdictions. Weak
controls surrounding these payments to third parties meant the firm failed
to question their nature and purpose when it ought to have been reasonably
obvious to it that there was a significant corruption risk.
•Aon Limited failed properly to assess the risks involved in its

dealings with overseas third parties and implement effective controls
to mitigate those risks.
•Its payment procedures did not require adequate levels of due

diligence to be carried out.
•Its authorisation process did not take into account the higher levels
of risk to which certain parts of its business were exposed in the
countries in which they operated.
•After establishment, neither relationships nor payments were

routinely reviewed or monitored.
•Aon Limited did not provide relevant staff with sufficient guidance
or training on the bribery and corruption risks involved in dealings
with overseas third parties.
•It failed to ensure that the committees it appointed to oversee

these risks received relevant management information or routinely
assessed whether bribery and corruption risks were being managed
effectively.
See the FSA’s press release:www.fsa.gov.uk/pages/Library/Communication/PR/

2009/004.shtml

Case study – inadequate anti-bribery and corruption systems

and controls
......................................................................................................
6.2.6 In July 2011, the FSA fined Willis Limited, an insurance intermediary, £6.9m
for failing to take appropriate steps to ensure that payments made to
overseas third parties were not used for corrupt purposes. Between January
2005 and December 2009, Willis Limited made payments totalling £27m to
overseas third parties who helped win and retain business from overseas
clients, particularly in high risk jurisdictions.
Willis had introduced anti-bribery and corruption policies in 2008, reviewed
how its new policies were operating in practice and revised its guidance as a
result in May 2009. But it should have taken additional steps to ensure they
were adequately implemented.
•Willis failed to ensure that it established and recorded an adequate

commercial rationale to support its payments to overseas third
parties. 6
•It did not ensure that adequate due diligence was carried out on
overseas third parties to evaluate the risk involved in doing business
with them.
•It failed to review in sufficient detail its relationships with overseas

third parties on a regular basis to confirm whether it was necessary
and appropriate to continue with the relationship.
•It did not adequately monitor its staff to ensure that each time it
engaged an overseas third party an adequate commercial rationale
had been recorded and that sufficient due diligence had been carried
out.
See the FSA’s press release: www.fsa.gov.uk/pages/Library/Communication/PR/

2011/066.shtml.

FCG 6 : Bribery and corruption Section 6.3 : Further guidance
6.3.1 FCTR contains the following additional material on bribery and corruption:
• ■ FCTR 9 summarises the findings of the FSA’s thematic review Anti-

6 bribery and corruption in commercial insurance broking and includes
guidance on:
Governance and management information (■ FCTR 9.3.1G)
Risk assessment and responses to significant bribery and
corruption events (■ FCTR 9.3.2G)
Due diligence on third-party relationships (■ FCTR 9.3.3G)
Payment controls (■ FCTR 9.3.4G)
Risk arising from remuneration structures (■ FCTR 9.3.7G)
Incident reporting (■ FCTR 9.3.8G)
The role of compliance and internal audit (■ FCTR 9.3.9G)
• ■ FCTR 13 summarises the findings of the FSA’s thematic review on

Anti-bribery and corruption systems and controls in investment banks
and includes guidance on:
Governance and management information (■ FCTR 13.3.2G)
Assessing bribery and corruption risk (■ FCTR 13.3.3G)
Policies and procedures (■ FCTR 13.3.4G)
Third party relationships and due diligence (■ FCTR 13.3.5G)
Payment controls (■ FCTR 13.3.6G)
Gifts and hospitality (■ FCTR 13.3.7G)
Remuneration structures (■ FCTR 13.3.10G)
Incident reporting and management (■ FCTR 13.3.11G)

FCG 6 : Bribery and corruption Section 6.4 : Sources of further information
6.4.1 To find out more, see:
•The Bribery Act 2010: www.legislation.gov.uk/ukpga/2010/23/

contents 6
•The Ministry of Justice’s guidance about procedures which relevant
commercial organisations can put into place to prevent persons
associated with them from bribing: https://www.justice.gov.uk/
downloads/legislation/bribery-act-2010-guidance.pdf (full version)
https://www.justice.gov.uk/downloads/legislation/bribery-act-2010-
quick-start-guide.pdf (quick start guide)
•Our one-minute guide for smaller firms on anti-bribery and

corruption: https://www.fca.org.uk/firms/financial-crime/bribery-
corruption

FCG 6 : Bribery and corruption Section 6.4 : Sources of further information

Sanctions and asset freezes
Chapter 7
Sanctions and asset freezes

FCG 7 : Sanctions and asset Section 7.1 : Introduction
freezes
7.1 Introduction
7.1.1 Who should read this chapter? All firms are required to comply with the UK’s
financial sanctions regime. The FCA’s role is to ensure that the firms it
supervises have adequate systems and controls to do so. As such, this chapter
applies to all firms subject to the financial crime rules in ■ SYSC 3.2.6R or
■ SYSC 6.1.1R. It also applies to e-money institutions and payment institutions
within our supervisory scope.
7
7.1.2 Firms’ systems and controls should also address, where relevant, the risks
they face from weapons proliferators, although these risks will be very low
for the majority of FSA-supervised firms. ■ FCG 7.2.5G, which looks at
weapons proliferation, applies to banks carrying out trade finance business
and those engaged in other activities, such as project finance and insurance,
for whom the risks are greatest.
7.1.3 [deleted]
7.1.4 Financial sanctions are restrictions put in place by the UK government or the
multilateral organisations that limit the provision of certain financial services
or restrict access to financial markets, funds and economic resources in order
to achieve a specific foreign policy or national security objective.
7.1.5 All individuals and legal entities who are within or undertake activities
within the UK’s territory must comply with the EU and UK financial sanctions
that are in force. All UK nationals and UK legal entities established under UK
law, including their branches, must also comply with UK financial sanctions
that are in force, irrespective of where their activities take place.
7.1.5A The Office of Financial Sanctions (OFSI) within the Treasury maintains a
Consolidated List of financial sanctions targets designated by the United
Nations, the European Union and the United Kingdom, which is available
from its website. If firms become aware of a breach, they must notify OFSI in
accordance with the relevant provisions. OFSI have published guidance on
complying with UK obligations and this is available on their website. See
https://www.gov.uk/government/publications/financial-sanctions-faqs.
7.1.6 Alongside financial sanctions, the government imposes controls on certain

types of trade. As part of this, the export of goods and services for use in
nuclear, radiological, chemical or biological weapons programmes is subject
to strict controls. Proliferators seek to gain access to this technology illegally:

FCG 7 : Sanctions and asset Section 7.1 : Introduction
freezes
aiding them is an offence under the Anti-Terrorism, Crime and Security Act
2001. Note that the Treasury can also use powers under the Counter
Terrorism Act 2008 (see ■ FCG Annex 1) to direct financial firms to, say, cease
business with certain customers involved in proliferation activity.

FCG 7 : Sanctions and asset Section 7.2 : Themes
freezes
7.2 Themes
Governance
......................................................................................................
applies to sanctions.
Senior management should be sufficiently aware of the firm’s obligations
regarding financial sanctions to enable them to discharge their functions
7 effectively.
•Has your firm clearly allocated responsibility for adherence to the

sanctions regime? To whom?
•How does the firm monitor performance? (For example, statistical or

narrative reports on matches or breaches.)

• An individual of sufficient au- • The firm believes payments to
thority is responsible for over- sanctioned individuals and en-
seeing the firm’s adherence to tities are permitted when the
the sanctions regime. sums are small. Without a li-
cence from the Asset Freezing
Unit, this could be a criminal
offence.
• It is clear at what stage cus- • No internal audit resource is
tomers are screened in differ- allocated to monitoring sanc-
ent situations (e.g. when cus- tions compliance.
tomers are passed from
agents or other companies in
the group).
• There is appropriate escala- • Some business units in a large
tion of actual target matches organisation think they are
and breaches of UK sanctions. exempt.
Notifications are timely.
The offence will depend on the sanctions provisions breached.
Risk assessment
......................................................................................................
also applies to sanctions.
A firm should consider which areas of its business are most likely to provide
services or resources to individuals or entities on the Consolidated List.

freezes
•Does your firm have a clear view on where within the firm breaches
are most likely to occur? (This may cover different business lines,
sales channels, customer types, geographical locations, etc.)
•How is the risk assessment kept up to date, particularly after the

firm enters a new jurisdiction or introduces a new product?

• A firm with international op- • There is no process for updat-
erations, or that deals in cur- ing the risk assessment.
rencies other than sterling, un-
derstands the requirements of
relevant local financial sanc-
tions regimes.
• A small firm is aware of the • The firm assumes financial
sanctions regime and where it sanctions only apply to
is most vulnerable, even if risk money transfers and so has
assessment is only informal. not assessed its risks.
7
Screening customers against sanctions lists
......................................................................................................
7.2.3 A firm should have effective, up-to-date screening systems appropriate to
the nature, size and risk of its business. Although screening itself is not a
legal requirement, screening new customers and payments against the
Consolidated List, and screening existing customers when new names are
added to the list, helps to ensure that firms will not breach the sanctions
regime. (Some firms may knowingly continue to retain customers who are
listed under UK sanctions: this is permitted if OFSI has granted a licence.)
•When are customers screened against lists, whether the

Consolidated List, internal watchlists maintained by the firm, or lists
from commercial providers? (Screening should take place at the time
of customer take-on. Good reasons are needed to justify the risk
posed by retrospective screening, such as the existence of general
licences.)
•If a customer was referred to the firm, how does the firm ensure
the person is not listed? (Does the firm screen the customer against
the list itself, or does it seek assurances from the referring party?)
•How does the firm become aware of changes to the Consolidated

List? (Are there manual or automated systems? Are customer lists
rescreened after each update is issued?)

• The firm has considered what • The firm assumes that an in-
mixture of manual and auto- termediary has screened a cus-
mated screening is most ap- tomer, but does not check
propriate. this.
• There are quality control • Where a firm uses automated
checks over manual screening. systems, it does not under-
stand how to calibrate them
and does not check whether

freezes

the number of hits is unexpec-
tedly high or low.
• Where a firm uses automated • An insurance company only
systems these can make ‘fuzzy screens when claims are made
matches’ (e.g. able to identify on a policy.
similar or variant spellings of
names, name reversal, digit ro-
tation, character manipula-
tion, etc.).
• The firm screens customers’ • Screening of customer data-
directors and known benefi- bases is a one-off exercise.
cial owners on a risk-sensitive
basis.
• Where the firm maintains an • Updating from the Consolid-
account for a listed individual, ated List is haphazard. Some
the status of this account is business units use out-of-date
clearly flagged to staff. lists.
7
• A firm only places faith in • The firm has no means of
other firms’ screening (such as monitoring payment in-
outsourcers or intermediaries) structions.
after taking steps to satisfy
themselves this is appropriate.
Matches and escalation

......................................................................................................
7.2.4 When a customer’s name matches a person on the Consolidated List it will
often be a ‘false positive’ (e.g. a customer has the same or similar name but
is not the same person). Firms should have procedures for identifying where
name matches are real and for freezing assets where this is appropriate.
•What steps does your firm take to identify whether a name match is
real? (For example, does the firm look at a range of identifier
information such as name, date of birth, address or other customer
data?)
•Is there a clear procedure if there is a breach? (This might cover, for
example, alerting senior management, the Treasury and the FCA, and
giving consideration to a Suspicious Activity Report.)

• Sufficient resources are avail- • The firm does not report a
able to identify ‘false breach of the financial sanc-
positives’. tions regime to OFSI: this
could be a criminal offence.
• After a breach, as well as • An account is not frozen
meeting its formal obligation when a match with the Con-
to notify OFSI, the firm consolidated List is identified. If,
siders whether it should re- as a consequence, funds held,
port the breach to the FCA. owned or controlled by a des-
SUP 15.3 contains general noti- ignated person are dealt with
fication requirements. Firms or made available to the des-

freezes

are required to tell us, for ex- ignated person, this could be
ample, about significant rule a criminal offence.
breaches (see SUP 15.3.11R(1)).
Firms should therefore con-
sider whether the breach is
the result of any matter
within the scope of SUP 15.3,
for example a significant fail-
ure in their financial crime sys-
tems and controls.
• A lack of resources prevents a
firm from adequately analys-
ing matches.
• No audit trail of decisions
where potential target
matches are judged to be
false positives.
The offence will depend on the sanctions provisions breached. 7
Weapons proliferation
......................................................................................................
7.2.5 Alongside financial sanctions, the government imposes controls on certain
types of trade in order to achieve foreign policy objectives. The export of
goods and services for use in nuclear, radiological, chemical or biological
weapons programmes is subject to strict controls. Firms’ systems and controls
should address the proliferation risks they face.
•Does your firm finance trade with high risk countries? If so, is
enhanced due diligence carried out on counterparties and goods?
Where doubt remains, is evidence sought from exporters that the
trade is legitimate?
•Does your firm have customers from high risk countries, or with a
history of dealing with individuals and entities from such places? If
so, has the firm reviewed how the sanctions situation could affect
such counterparties, and discussed with them how they may be
affected by relevant regulations?
•What other business takes place with high risk jurisdictions, and
what measures are in place to contain the risks of transactions being
related to proliferation?

• A bank has identified if its cus- • The firm assumes customers
tomers export goods to high selling goods to countries of
risk jurisdictions, and subjects concern will have checked the
transactions to enhanced exports are legitimate, and
scrutiny by identifying, for ex- does not ask for evidence of
ample, whether goods may be this from customers.
subject to export restrictions,
or end-users may be of
concern.

freezes

• Where doubt exists, the bank • A firm knows that its cus-
asks the customer to demon- tomers deal with individuals
strate that appropriate assur- and entities from high risk jur-
ances have been gained from isdictions but does not com-
relevant government au- municate with those cus-
thorities. tomers about relevant regula-
tions in place and how they af-
fect them.
• The firm has considered how • [deleted]
to respond if the government
takes action under the Coun-
ter-Terrorism Act 2008 against
one of its customers.
Case study – deficient sanctions systems and controls

......................................................................................................
7 7.2.6 In August 2010, the FSA fined Royal Bank of Scotland (RBS) £5.6m for
deficiencies in its systems and controls to prevent breaches of UK financial
sanctions.
•RBS failed adequately to screen its customers – and the payments

they made and received – against the sanctions list, thereby running
the risk that it could have facilitated payments to or from sanctioned
people and organisations.
•The bank did not, for example, screen cross-border payments made
by its customers in sterling or euros.
•It also failed to ensure its ‘fuzzy matching’ software remained

effective, and, in many cases, did not screen the names of directors
and beneficial owners of customer companies.
The failings led the FSA to conclude that RBS had breached the Money
Laundering Regulations 2007, and our penalty was imposed under that
legislation – a first for the FSA.
For more information see the FSA’s press release: www.fsa.gov.uk/pages/
Library/Communication/PR/2010/130.shtml

FCG 7 : Sanctions and asset Section 7.3 : Further guidance
freezes
7.3.1 FCTR contains the following additional material on sanctions and assets
freezes:

Financial services firms’ approach to UK financial sanctions and
7
Senior management responsibility (■ FCTR 8.3.1G)
Risk assessment (■ FCTR 8.3.2G)
Policies and procedures (■ FCTR 8.3.3G)
Staff training and awareness (■ FCTR 8.3.4G)
Screening during client take-on (■ FCTR 8.3.5G)
Ongoing screening (■ FCTR 8.3.6G)
Treatment of potential target matches (■ FCTR 8.3.7G)
• ■ FCTR 15 summarises the findings of the FCA’s thematic review

Banks’ management of financial crime risk in trade finance and
Sanctions Procedures (■ FCTR 15.3.7G)
Dual-Use Goods (■ FCTR 15.3.8G)

FCG 7 : Sanctions and asset Section 7.4 : Sources of further information
freezes
7.4.1 To find out more on financial sanctions, see:
•OFSI’s website: https://www.gov.uk/government/organisations/office-

of-financial-sanctions-implementation
•OFSI provides FAQs on financial sanctions- https://www.gov.uk/

7 government/publications/financial-sanctions-faqs
•Part III of the Joint Money Laundering Steering Group’s guidance,

which is a chief source of guidance for firms on this topic:
www.jmlsg.org.uk
7.4.2 To find out more on trade sanctions and proliferation, see:
•Part III of the Joint Money Laundering Steering Group’s guidance on

the prevention of money laundering and terrorist financing, which
contains a chapter on proliferation financing that should be firms’
chief source of guidance on this topic: www.jmlsg.org.uk
•The website of the UK’s Export Control Organisation, which contains

much useful information, including lists of equipment requiring a
licence to be exported to any destination, because they are either
military items or ‘dual use’ https://www.gov.uk/government/
organisations/export-control-organisation
•The NCA’s website, which contains guidelines on how to report

suspicions related to weapons proliferation:http://
www.nationalcrimeagency.gov.uk/publications/suspicious-activity-
reports-sars/57-sar-guidance-notes
•The FATF website. In June 2008, FATF launched a ‘Proliferation

Financing Report’ that includes case studies of past proliferation
cases, including some involving UK banks. This was followed up with
a report in February 2010:https://www.fatf-gafi.org/media/fatf/
documents/reports/
Typologies%20Report%20on%20Proliferation%20Financing.pdf .
http://www.fatf-gafi.org/media/fatf/documents/reports/Status-report-
proliferation-financing.pdf.

Insider dealing and market manipulation
Chapter 8
Insider dealing and market

manipulation

FCG 8 : Insider dealing and Section 8.1 : Introduction
market manipulation
8.1 Introduction
8.1.1 Who should read this chapter? This chapter applies to firms subject to
■ SYSC 6.1.1R.
8.1.2 Insider dealing is a criminal offence under section 52 of the Criminal Justice
Act 1993. Sections 89-91 of the Financial Services Act 2012 set out a range of
behaviours which amount to criminal offences, which are together referred
to in this guide as market manipulation.
8
8.1.3 Section 1H(3) of the Act defines financial crime to include ‘any offence
involving:
(a) fraud or dishonesty,
(b) misconduct in, or misuse of information relating to, a financial

market,
(c) handling the proceeds of crime, or
(d) the financing of terrorism’.
Insider dealing and market manipulation both meet this definition, in

particular because they involve misconduct in a financial market.
8.1.4 To avoid doubt, all references to insider dealing and market manipulation in
this chapter refer to the criminal offences set out above. This chapter does
not seek to reproduce a list of those markets, particularly because that list
may change over time. Therefore, all references to ‘financial markets’ and
‘markets’ in this chapter refer to the markets to which the criminal regimes
of insider dealing and market manipulation apply, unless the context
specifies otherwise. The civil offences of insider dealing, unlawful disclosure
of inside information and market manipulation set out in the Market Abuse
Regulation are referred to collectively herein as market abuse.
8.1.5 We recognise that many firms will not distinguish between the criminal or
civil regimes for the purposes of conducting surveillance and monitoring of
their clients’ and employees’ activities. As such, firms may find it simpler to
consider this guidance as applying to all instruments to which both the
Market Abuse Regulation and the criminal regimes set out in ■ FCG 8.1.2G
apply. Note though that the FCA cannot and does not mandate that this
guidance applies to those financial instruments which are captured by the
Market Abuse Regulation, but not by the criminal regimes set out above.

market manipulation
8.1.6 To commit insider dealing, as well as certain forms of market manipulation,

the perpetrator must typically engage with, or work within, a firm able to
access the relevant financial markets on their behalf. It is critical that firms
that offer access to relevant financial markets have adequate policies and
procedures to counter the risk that the firm might be used to further
financial crime, in accordance with ■ SYSC 6.1.1R.
FCG is not intended to be prescriptive to every business model type. It is
incumbent upon a firm to ensure that its policies, procedures and risk
framework are tailored and appropriate to the nature of its business, eg
client type(s), product type(s), means of order transmission and execution,
risks posed by employees, etc.
8.1.7 On 3 July 2016, Market Abuse Regulation came into force. The Market Abuse
Regulation sets out the civil offences of market abuse. Article 16 of the
Market Abuse Regulation also imposes specific requirements on:
•Market operators and investment firms that operate a trading

venue to establish and maintain effective arrangements, systems and
procedures aimed at detecting and preventing insider dealing,
market manipulation and attempted insider dealing and market
manipulation. Such persons shall report orders and transactions that 8
could constitute insider dealing or market manipulation (or attempts
at such) to the competent authority of the trading venue. This is
imposed under article 16(1).
•Any person professionally arranging or executing transactions to

establish and maintain effective arrangements, systems and
procedures to detect and report suspicious orders and transactions.
This is imposed under article 16(2).
8.1.8 There is a key distinction between the obligations under article 16(2) of the
Market Abuse Regulation and the requirements of ■ SYSC 6.1.1R. Article 16(2)
of the Market Abuse Regulation requires persons professionally arranging or
executing transactions to establish arrangements, systems and procedures to
detect and report potential market abuse, whereas ■ SYSC 6.1.1R requires
firms to have policies and procedures for countering the risk that the firm
might be used to further financial crime. (As noted above, article 16(1) of the
Market Abuse Regulation obliges market operators and investment firms
that operate a trading venue to have systems aimed at preventing as well as
detecting potential market abuse). This document does not provide any FCA
guidance in relation to the Market Abuse Regulation article 16.
8.1.9 Appropriate policies and procedures for countering the risk that the firm
might be used to further financial crime are likely to fall into two distinct
categories:
(1) Identification of, and taking steps to counter financial crime pre-
trade, and
(2) Mitigation of future risks posed by clients or employees who have

been identified as having already traded suspiciously.

market manipulation
8.1.10 Firms which have identified activity they suspect may amount to insider
dealing or market manipulation should consider their further obligations in
relation to countering the risk of financial crime should the relevant client
seek to transfer or use the proceeds of that suspicious activity (see ■ FCG 3).
This includes, where appropriate, seeking consent from the National Crime
Agency.

FCG 8 : Insider dealing and Section 8.2 : Themes
market manipulation
8.2 Themes
Governance
......................................................................................................
8.2.1 The guidance in ■ FCG 2.2.1G above on governance in relation to financial
crime also applies to insider dealing and market manipulation.
We expect senior management to take responsibility for the firm’s measures
in relation to insider dealing and market manipulation. This includes:
•Understanding the risks of insider dealing or market manipulation

that their firm is exposed to (both through employee and client
activity). 8
•Establishing adequate policies and procedures to counter the risk
that their firm is used to further these offences in accordance with
■ SYSC 6.1.1R.
Senior management should also be aware and manage the potential conflict
of interest which may arise from the firm’s focus on revenue generation
versus its obligation to counter the risk of the firm being used to further
financial crime.
•Does the firm’s senior management team understand the legal

definitions of insider dealing and market manipulation, and the ways
in which the firm may be exposed to the risk of these crimes?
•Does the firm’s senior management team regularly receive

management information in relation to suspected insider dealing or
market manipulation?
•How does senior management make sure that the firm’s systems
and controls for detecting insider dealing and market manipulation
are robust? How do they set the tone from the top?
•How does the firm’s MLRO interact with the individual/departments

responsible for order and trade surveillance/monitoring?
•How does senior management make decisions in relation to

concerns about potential insider dealing or market manipulation
raised to them by Compliance or another function? Do they act
appropriately to mitigate these risks?
•How does senior management make sure that its employees have
the appropriate training to identify potential insider dealing and
market manipulation?

market manipulation

• Senior management are able • There is little evidence that
to recognise and articulate possible insider dealing or
the warning signs that insider market manipulation is taken
dealing and market manipula- seriously by senior manage-
tion might be taking place. ment. Addressing these risks is
seen as a legal or regulatory
necessity rather than a matter
of true concern for the
business.
• Senior management regularly • Senior management considers
receive management informa- revenue above obligations to
tion in relation to any pos- counter financial crime.
sible insider dealing or market
manipulation that occurs.
• The individual(s) responsible • Senior management considers
for overseeing the firm’s mon- the firm’s financial crime ob-
itoring for suspected insider ligations are fulfilled solely by
dealing and market manipula- submitting a STOR and/or
tion has regular interaction SAR.
and shares relevant informa-
tion with the MLRO.
8
• Senior management appropri- • The Compliance function has
ately supports decisions pro- limited independence and the
posed by Compliance. first line can block concerns
from being escalated.
Risk assessment
......................................................................................................
8.2.2 The guidance in ■ FCG 2.2.4G above on risk assessment in relation to financial
crime also applies to insider dealing and market manipulation.
Firms should assess and regularly review the risk that they may be used to
facilitate insider dealing or market manipulation. A number of factors should
be incorporated into this assessment, including the client types, products,
instruments and services offered/ provided by the firm. Firms’ assessments
should also consider the risk which employees may pose too.
Firms should consider how their policies and procedures seek to mitigate the
financial crime risks they have identified. This could include, but is not
limited to:
•undertaking enhanced order and transaction monitoring on clients

or employees,
•setting client specific pre-trade limits, and
•ultimately declining business or terminating client or employee

relationships if appropriate (see ■ FCG 8.2.3 for more detail).
•Has the firm considered whether any of the products/services it

offers, or the clients it has, pose a greater risk that the firm might be
used to facilitate insider dealing or market manipulation? How has
the firm determined this?

market manipulation
•Who is responsible for carrying out the risk assessment and keeping
it up to date? Do they have sufficient levels of expertise (including
markets and financial crime knowledge) and seniority?
What framework does the firm have in place for assessing the risk of
insider dealing and market manipulation being committed by its
employees?
•How does the firm use its risk assessment when deciding which
business to accept?
•How often is the risk framework reviewed and who approves it? •
How does the firm’s risk framework for countering the risk of insider
dealing and market manipulation interact with the firm’s AML risk
framework? Are the risk assessments aligned?

• Insider dealing and market • Risk assessments are generic,
manipulation risks are as- and not based upon the firm’s
sessed across every asset class own observations.
to which the criminal regimes
of insider dealing and market
manipulation apply, and 8
across all client types with
which the firm operates.
• There is evidence that the • An inappropriate risk classi-
firm’s risk assessment informs fication system makes it al-
the design of its surveillance most impossible for a client re-
controls. lationship to be considered
‘high risk’.
• The firm identifies and uses • The firm fails to consider the
all information at its disposal risks associated with em-
to make informed judgments ployees using discretionary ac-
about the level of financial counts to commit insider trad-
crime risk posed to its ing or market manipulation.
business.
• The firm’s risk framework is • Risk assessments are inappro-
regularly tested and reviewed. priately influenced by profit-
ability of new or existing rela-
tionships.
• Where a firm identifies a risk • The firm submits a significant
that it may be used to facilit- number of SARs and/or STORs
ate insider dealing or market on a particular client, but con-
manipulation, it takes appro- tinues to service that client
priate steps to mitigate that without considering its obliga-
risk. tion to counter the risk of fur-
thering financial crime.
• The firm considers where rela- • The firm fails to consider addi-
tionship managers might be- tional account information it
come too close to customers has access to, such as Power
to take an objective view of of Attorney arrangements,
risk, and manages that risk ef- when designing its surveil-
fectively. lance controls.

......................................................................................................
8.2.3 The guidance in ■ FCG 2.2.5G above on policies and procedures in relation to
financial crime also apply.

market manipulation
Firms’ policies and procedures should include steps designed to counter the
risk of insider dealing and market manipulation occurring through the firm.
Policies and procedures should be aligned and make reference to the firm’s
insider dealing and market manipulation risk assessment.
Firms should ensure that their policies and procedures cover both:
(1) identifying and taking steps to counter the risk of financial crime
before any trade is executed, and
(2) mitigating future risks posed by clients or employees who have

already been identified as having traded suspiciously.
Firms should make sure that front office employees are aware of the firm’s
policies and procedures with regard to countering the risk that the firm is
used to further financial crime. Among other things, these should reflect the
FCA’s expectation that market participants do not knowingly or intentionally
aid, abet, counsel or procure the commission of a criminal offence (insider
dealing or market manipulation). Therefore, where the firm holds
information which leads to the conclusion that its employee or client is
seeking to trade either manipulatively or on the basis of inside information,
it should refuse to execute the trade where it is able to do so.
8 Firms’ policies and procedures should state clearly how they identify and
monitor employees’ trading, in addition to their clients’ trading. ■ COBS 11.7
requires firms that conduct designated investment business to have a
personal account dealing (PAD) policy. Appropriately designed PAD policies
can:
•counter the risk that employees of the firm commit financial crime
themselves,
•make sure that conflicts of interest that might result in employees

not escalating suspicious activity are avoided. For example, if
employees are allowed to copy clients’ trades on their own accounts,
they may be less inclined to escalate financial crime concerns that
only become apparent post-trade, as, by reporting the client they
would, by implication, be reporting their own trading as suspicious.
Policies and procedures relevant to each business area, including front office
functions, should be communicated and embedded.
•Does the policy define how the firm will counter the risk of being
used to facilitate insider dealing and market manipulation? For
example, in what circumstances would the firm conduct enhanced
monitoring or stop providing trading access to a particular client or
employee?
•Does the firm have established procedures for following up and

reviewing possibly suspicious behaviour?
•Do front office staff understand how insider dealing and market
manipulation might be committed through the firm, to escalate
potentially suspicious activity when appropriate, and challenge client
or employee orders (where relevant), if they believe the activity will
amount to financial crime? Does the firm have effective

market manipulation
whistleblowing arrangements in place to support appropriate

financial crime detection and reporting?

• The firm has clear and unam- • The firm’s policies and proced-
biguous expectations for its ures aren’t updated for legal
employees and anyone acting or regulatory changes.
on its behalf, such as introdu-
cing brokers.
• Employees in dealing roles un- • Policies and procedures are
derstand and are able to generic and don’t consider
identify potentially illegal con- the specific processes or risks
duct, and their trading is regu- of the firm.
larly monitored by
Compliance.
• The policies and procedures • Policies and procedures cover
make adequate reference to only post-trade identification
the firm’s risk assessment. and reporting of suspicious ac-
tivity and do not cover coun-
tering the risk of financial
crime.
• Policies and procedures make • The firm sets apparently ro- 8
sure that the risk of financial bust procedures for assessing
crime is considered through- and mitigating identified fin-
out the lifecycle of a security ancial crime risk, but sets
transaction, including before thresholds for engaging these
the order has been executed. measures which mean that
they are almost impossible to
trigger.
• Where the financial intermedi- • The firm doesn’t have policies
ary is aware that a client is in- detailing the circumstances
tending to trade on the basis when it will consider rejecting
of inside information or ma- a prospective client or termin-
nipulate the market, the firm ating an existing client rela-
refuses to execute the tionship.
order(s).
• The firm takes swift, robust ac- • The firm doesn’t have appro-
tion for breaches of its pol- priate policies or procedures
icies and procedures. in place regarding personal ac-
count dealing, so that staff
are able to deal in a manner
which creates conflict in escal-
ating suspected market abuse.
• The firm’s policies and proced-
ures include controls designed
to counter the risk of financial
crime being committed by em-
ployees, for example wall cros-
sings, restricted lists and per-
sonal account dealing re-
strictions.
Ongoing monitoring
......................................................................................................
8.2.4 We recognise that the Market Abuse Regulation already imposes monitoring
requirements on persons professionally arranging or executing transactions,
in order to detect and report suspicious orders and transactions in the form
of STORs (as well as imposing similar monitoring obligations on market

market manipulation
operators and investment firms that operate a trading venue). It may be

appropriate to use the results of this monitoring for the purpose of
countering financial crime.
Firms should note that the markets and instruments to which the criminal
offences of insider dealing and market manipulation apply are different to
those covered by the Market Abuse Regulation. Firms should therefore assess
whether their arrangements to detect and report market abuse can be
appropriately relied on to monitor for potential insider dealing and market
manipulation.
For their risk assessments, firms should regularly take steps to consider
whether their employees and/or clients may be conducting insider dealing or
market manipulation. This could be achieved by transaction, order and
communications surveillance, with consideration given to the employee’s or
client’s usual trading behaviour and/or strategies, and in respect of clients:
initial on-boarding checks and ongoing due diligence, or other methods.
Firms should consider the risks that arise in scenarios whereby their client is
not the decision maker behind the activity taking place, with orders and
trades being instructed by an underlying client. In this scenario, where a firm
is concerned either about a particular client or trade, firms should consider
the steps they could take to gain further information, or an understanding,
8 of the client, underlying client and/or activity. The firm may wish to engage
with its client to obtain further information about the trading in question
and/or the nature of the underlying client(s).
If a firm is, based on their understanding of a client and monitoring of that
client’s transactions, suspicious that a client might have committed or
attempted to commit insider dealing or market manipulation, the firm
should comply with its obligations to report those suspicions via a STOR and/
or SAR (where appropriate). In addition, it may be appropriate for the firm
to document the options available to it to counter the risk of any ongoing
financial crime posed by its ongoing relationship with that client, and when
these options should be considered.
In addition, a firm must also submit a STOR where it identifies suspicious
trading by an employee. The nominated officer of the firm would also be
required to report any knowledge or suspicions of money laundering or
terrorist financing arising from trade by submitting a SAR to the NCA. Again,
the firm’s policies and procedures should document the options available to
it to counter the risk of any ongoing financial crime related to employee
trading activity, and when these options should be considered.
Options available to firms to counter the risk of being used to further
financial crime by its clients and/or employees could include:
•Carrying out enhanced due diligence on a client and enhanced

monitoring of a client’s or employee’s trading activity.
•Restricting the client’s access to particular markets or instruments.
•Restricting services provided to the client (eg direct market access).
•Restricting the amount of leverage the firm is willing to provide to

the client.
•Taking disciplinary action against an employee.
•Ultimately terminating the client or employee relationship. The

appropriate response will depend on the outcome of the firm’s

market manipulation
monitoring procedures and the extent and nature of any suspicious

activity identified.
•Does the firm consider its obligations to counter financial crime

when a client’s or employee’s activity is determined as suspicious via
surveillance systems and subsequent investigation?
•How do the firm’s monitoring arrangements interact with the client-

on-boarding process / AML framework?
•Does the firm undertake enhanced monitoring for high risk clients?
•Does the firm’s monitoring cover the activity of any employee

trading?
•In instances where a firm is concerned about a client which is not

the individual or entity who is making the decision to trade, has the
firm considered information it has access to, or ways it can gain
information, to allow it to counter the risk of being used to further
financial crime?
8
• The firm’s monitoring seeks to • The firm believes that its ob-
identify trends in clients’ or ligations cease when it re-
employee’s behaviour, in addi- ports the suspicious transac-
tion to one off events. tions and orders.
• The firm undertakes enhanced • Suspicious transactions and or-
monitoring of clients it has de- ders are identified but not in-
termined are high risk. vestigated further.
• The firm conducts regular, tar- • Monitoring identifies indi-
geted monitoring of voice vidual suspicious events but
and electronic commun- does not attempt to identify
ications. patterns of suspicious behavi-
our by the same client or a
group of clients, using, for ex-
ample, historical assessments
of potentially suspicious activ-
ity or STORs submitted.
• Front office employees escal- • The firm does not consider en-
ate suspicious activity gaging with its clients,
promptly to Compliance. whether to understand their
trading activity or the activity
of their underlying client(s).
• The firm takes additional • The firm does not use informa-
steps to understand and en- tion obtained via monitoring
sure it is comfortable with the and subsequent investigation
rationale behind the trading to consider the suitability of
strategies employed by its cli- retaining a client relationship.
ent(s) and/or staff.
• The firm conducts regular • In instances when a client is
monitoring of its employee placing orders on behalf of its
trading activity, whether per- underlying clients, the firm
sonal account dealing or trad- fails to make use of informa-

market manipulation

ing on behalf of the firm or tion which could allow it to
clients. understand the nature and po-
tential risk of their client (for
example, number of underly-
ing clients, trading strategies,
the nature of their business).
• In instances when a client is
placing orders on behalf of its
underlying clients, the firm en-
gages with their client to es-
tablish whether they maintain
appropriate systems and con-
trols for countering the risk of
being used to further finan-
cial crime.
• The firm considers a client or
employee’s ongoing risk of
committing insider dealing or
market manipulation follow-
ing the submission of a STOR
and/or SAR.
8

Common terms
Chapter Annex
Common terms
■ Release 36 ● Feb 2019 www.handbook.fca.org.uk FCG Annex/1

■ Release 36 ● Feb 2019 www.handbook.fca.org.uk FCG Annex/2
FCG Annex : Common terms
Common terms Annex
This annex provides a list of common and useful terms related to financial crime. It also includes
references to some key legal provisions. It is for reference purposes and is not a list of ‘defined terms’
used in FCG. This annex does not provide guidance on rules or amend corresponding references in the
Handbook’s Glossary.
Term Meaning
Action Fraud The UK’s national fraud reporting centre. See: www.actionfraud.-
police.uk
advance fee fraud A fraud where people are persuaded to hand over money, typic-
ally characterised as a ‘fee’, in the expectation that they will then
be able to gain access to a much larger sum which does not actu-
ally exist.
AML Anti-money laundering. See ‘money laundering’.
Annex I financial institution The Money Laundering Regulations give the FCA responsibility for
supervising the anti-money laundering controls of ‘Annex I finan-
cial institutions’ (a reference to Annex I to the Capital Require-
ments Directive, where they are listed). In practice, this includes
businesses that offer finance leases, commercial lenders and pro-
viders of safe deposit boxes.
Where an authorised firm offers such services, we are responsible
for overseeing whether these activities are performed in a manner
that complies with the requirements of the Money Laundering Re-
gulations. Authorised firms are not formally required to inform us
that they perform these activities, although some may choose to
do so for the sake of transparency.
Where these businesses are not authorised, we are responsible for
supervising their activities. For more information on this, see the
FCA’s website: https://www.fca.org.uk/firms/money-laundering-ter-
rorist-financing/registration
beneficial owner The natural person who ultimately owns or controls the customer.
An entity may have more than one beneficial owner. ‘Beneficial
owner’ is defined in Regulations 5 and 6 of the Money Laun-
dering Regulations.
boiler room See ‘share sale fraud’.
bribery Bribery is the offering or acceptance of an undue advantage in ex-
change for the improper performance of a function or activity.
Statutory offences of bribery are set out more fully in the Bribery
Act 2010.
Bribery Act 2010 The Bribery Act came into force in July 2011. It outlaws offering
and receiving bribes, at home and abroad, as well as creating a
corporate offence of failure to prevent bribery. The Ministry of
Justice has issued guidance about procedures which firms can put
in place to prevent bribery: https://www.justice.gov.uk/downloads/
legislation/bribery-act-2010-guidance.pdf
business-wide risk assessment A business-wide risk assessment means the identification and as-
sessment of the financial crime risks to which a firm is exposed as
a result of, for example, the products and services it offers, the jur-
isdictions it operates in, the types of customer it attracts, the com-
■ Release 36 ● Feb 2019 www.handbook.fca.org.uk Annex 1/1

Term Meaning
Annex plexity and volume of transactions, and the distribution channels
it uses to service its customers.
carbon credit scams Firms may sell carbon credit certificates or seek investment directly
in a ‘green’ project that generates carbon credits as a return. Car-
bon credits can be sold and traded legitimately and there are
many reputable firms operating in the sector. We are, however,
concerned an increasing number of firms are using dubious, high-
pressure sales tactics and targeting vulnerable consumers. See:
https://www.fca.org.uk/scamsmart/carbon-credit-scams
CDD See ‘customer due diligence’.
CIFAS CIFAS is the UK’s fraud prevention service with over 250 members
across the financial industry and other sectors. See CIFAS’s website
for more information: www.cifas.org.uk
Defence against Money A ‘Defence Against Money Laundering (DAML)’ can be requested
Laundering from the NCA where a firm has a suspicion that property they in-
tend to deal with is in some way criminal, and that by dealing
with it they risk committing one of the principal money laun-
dering offences under the Proceeds of Crime Act 2002 (POCA).
A person does not commit one of those offences if they have re-
ceived ‘appropriate consent’ (aka a “DAML”) from the NCA. The
NCA is empowered to provide these criminal defences in law un-
der s335 of POCA.
More information is available from the NCA,
http://www.nationalcrimeagency.gov.uk/publications/902-defence-
against-money-laundering-faq-may-2018/file
Consolidated List OFSI maintains a Consolidated List of financial sanctions targets
designated by the United Nations, the European Union and the
United Kingdom. It is available from the Treasury’s website:
www.hm-treasury.gov.uk/fin_sanctions_index.htm
corruption Corruption is the abuse of public or private office to obtain an un-
due advantage. Corruption includes not only bribery but also
other forms of misconduct or improper behaviour. This behaviour
may or may not be induced by the prospect of obtaining an un-
due advantage from another person.
Counter-Terrorism Act 2008 The Treasury has powers under Schedule 7 to the Counter-Terror-
ism Act 2008 to require financial firms to take specified actions in
relation to a country of concern, or counterparties based in that
country. Use of this power can be triggered if a) the risk of money
laundering or terrorist financing activities is identified in a coun-
try, or b) the government believes a country has a nuclear, chem-
ical, radiological or biological weapons programme that threatens
the UK. The directions can require enhanced due diligence and on-
going monitoring, the systematic reporting of transactions, or the
cessation of business. This offers the government flexibility that
was not available in the traditional financial sanctions regime. We
are responsible for monitoring authorised firms’ and certain finan-
cial institutions’ compliance with these directions.
cover payment Where payments between customers of two banks in different
countries and currencies require settlement by means of matching
inter-bank payments, those matching payments are known as
‘cover payments’. International policymakers have expressed con-
cern that cover payments can be abused to hide the origins of
flows of funds. In response to this, changes to the SWIFT payment
messaging system now allow originator and beneficiary informa-
tion to accompany cover payments.
CPS See ‘Crown Prosecution Service’
Annex 1/2 www.handbook.fca.org.uk ■ Release 36 ● Feb 2019

Term Meaning
Crown Prosecution Service (CPS) The Crown Prosecution Service prosecutes crime, money laun- Annex
dering and terrorism offences in England and Wales. The Procur-
ator Fiscal and Public Prosecution Service of Northern Ireland play
similar roles in Scotland and Northern Ireland respectively. See the
CPS website for more information: www.cps.gov.uk
CTF Combating terrorist financing/countering the finance of terrorism.
customer due diligence (CDD)‘ Customer due diligence’ describes measures firms have to take to
identify, and verify the identity of, customers and their beneficial
owners. Customer due diligence also includes measures to obtain
information on the purpose and intended nature of the business
relationship. See Regulation 7 of the Money Laundering Regula-
tions. ‘Customer due diligence’ and ‘Know Your Customer’ (KYC)
are sometimes used interchangeably.
dual use goods Items that can have legitimate commercial uses, while also having
applications in programmes to develop weapons of mass destruc-
tion. Examples may be alloys constructed to tolerances and thresh-
olds sufficiently high for them to be suitable for use in nuclear re-
actors. Many such goods are listed in EU regulations which also re-
strict their unlicensed export.
Data Protection Act 1998 (DPA) The DPA imposes legal obligations on those who handle indi-
viduals’ personal information. Authorised firms are required to
take appropriate security measures against the loss, destruction or
damage of personal data. Firms also retain responsibility when
data is passed to a third party for processing.
economic sanctions Restrictions on trade or financial flows imposed by the govern-
ment in order to achieve foreign policy goals. See: ‘financial sanc-
tions regime’, ‘trade sanctions’, and ‘proliferation finance’.
EEA firms Firms from the European Economic Area (EEA) which passport
into the UK are authorised persons. This means, generally
speaking, EEA firms who carry on relevant business from a UK
branch will be subject to the requirements of the Handbook and
of the Money Laundering Regulations. However, an EEA firm that
only provides services on a cross-border basis (and so does not
have a UK branch) will not be subject to the Money Laundering
Regulations, unless it carries on its business through representat-
ives who are temporarily located in the UK.
Egmont Group A forum for financial intelligence units from across the world. See
the Egmont Group’s website for more information: www.eg-
montgroup.org
embargos See ‘trade sanctions’.
e-money The Electronic Money Regulations 2011 (SI 2011/99) define elec-
tronic money as electronically (including magnetically) stored mon-
etary value, represented by a claim on the issuer, which is issued
on receipt of funds for the purpose of making payment transac-
tions, and which is accepted by a person other than the electronic
money issuer. The E-money Regulations specify who can issue e-
money; this includes credit institutions and e-money institutions.
e-money institutions (EMIs) E-money institutions are a specific category of financial institu-
tions authorised or registered to issue e-money under the Elec-
tronic Money Regulations 2011, rather than FSMA. The FCA’s fin-
ancial crime Handbook provisions do not apply to e-money institu-
tions, but the FCA supervises e-money institutions for compliance
with their obligations under the Money Laundering Regulations.
They must also satisfy us that they have robust governance, effect-
ive risk procedures and adequate internal control mechanisms.
This incorporates their financial crime systems and controls. For
more information, see our payment services and e-money ap-

Term Meaning
Annex proach document: https://www.fca.org.uk/publication/finalised-
guidance/fca-approach-payment-services-electronic-money-
2017.pdf
enhanced due diligence (EDD) Regulations 33-35 of the Money Laundering Regulations require
firms to apply additional, ‘enhanced’ customer due diligence meas-
ures in higher risk situations (see FCG 3.2.7G to FCG 3.2.9G).
equivalent jurisdiction A jurisdiction (other than an EEA state) whose law contains
equivalent provisions to those contained in the Fourth Money
Laundering Directive. The JMLSG has prepared guidance for firms
on how to identify which jurisdictions are equivalent. Equivalent
jurisdictions are significant because it is a factor that a firm may
consider when deciding whether to apply ‘simplified due dili-
gence’ to financial institutions from these places. Firms can also
rely on the customer due diligence checks undertaken by certain
introducers from these jurisdictions (see ‘reliance’).
export controls UK exporters must obtain a licence from the government before
exporting certain types of goods, primarily those with military ap-
plications. Exporting these goods without a licence is prohibited
by the Export Control Order 2008 (SI 2008/3231). If an authorised
financial firm were to finance or insure these illegal exports, it
would arguably have been used to further financial crime.
family member of a PEP Regulation 35(12)(b) of the Money Laundering Regulations de-
fines a family member of a PEP as including a spouse or civil part-
ner of a PEP; children of the PEP and the spouses or civil partners
of the PEP’s children; and the parents of a PEP. The FCA’s Finalised
Guidance ‘FG17/16: The treatment of politically exposed persons
for anti-money laundering purposes’ provides further guidance on
this definition.
FATF See ‘Financial Action Task Force’.
FATF Recommendations Forty Recommendations issued by the FATF on the structural, su-
pervisory and operational procedures that countries should have
in place to combat money laundering. These were revised in Feb-
ruary 2012, and now incorporate the nine Special Recommenda-
tions on the prevention of terrorist financing that were previously
listed separately. The Forty Recommendations can be downloaded
from the FATF’s website: http://www.fatf-gafi.org/publications/fat-
frecommendations/documents/fatf-recommendations.html
FATF-style regional bodies Regional international bodies such as Moneyval and the Asia-Paci-
fic Group which have a similar form and functions to those of the
FATF. The FATF seeks to work closely with such bodies.
FI See ‘Financial Investigator’.
Financial Action Task Force An intergovernmental body that develops and promotes anti-
(FATF) money laundering and counter terrorist financing standards
worldwide. Further information is available on its website:
www.fatf-gafi.org
Financial Conduct Authority The Financial Conduct Authority has statutory objectives under
(FCA) FSMA that include protecting and enhancing the integrity of the
UK financial system. The integrity of the UK financial system in-
cludes its not being used for a purpose connected with financial
crime. We have supervisory responsibilities under the Money Laun-
dering Regulations for authorised firms and businesses such as
leasing companies and providers of safe deposit boxes. We also
have functions under other legislation such as Schedule 7 to the
Counter-Terrorism Act 2008.

Term Meaning
financial crime Financial crime is any crime involving money. More formally, the Annex
Financial Services and Markets Act 2000 defines financial crime ‘to
include any offence involving (a) fraud or dishonesty; (b) miscon-
duct in, or misuse of information relating to, a financial market;
or (c) handling the proceeds of crime’. The use of the term ‘to in-
clude’ means financial crime can be interpreted widely to include,
for example, corruption or funding terrorism.
financial intelligence unit (FIU) The IMF uses the following definition: ‘a central national agency
responsible for receiving, analyzing, and transmitting disclosures
on suspicious transactions to the competent authorities.’ The NCA
has this role in the UK.
Financial Investigator (FI) Financial Investigators are accredited people able under the relev-
ant legislation to investigate financial offences and recover the
proceeds of crime.
financial sanctions regime This prohibits firms from providing funds and other economic re-
sources (and, in the case of designated terrorists, financial ser-
vices) to individuals and entities on a Consolidated List maintained
OFSI. OFSI is responsible for ensuring compliance with the UK’s fin-
ancial sanctions regime; our role is to ensure firms have appropri-
ate systems and controls to enable compliance.
Financial Services and Markets The Financial Services and Markets Act 2000 sets out the object-
Act 2000 (FSMA) ives, duties and powers of the Financial Conduct Authority and
the Prudential Regulation Authority.
Financial Services Authority The Financial Services Authority was the previous financial services
(FSA) regulator. It had statutory objectives under FSMA that included
the reduction of financial crime. The FSA had supervisory respons-
ibilities under the Money Laundering Regulations for authorised
firms and businesses such as leasing companies and providers of
safe deposit boxes. It also had functions under other legislation
such as the Transfer of Funds (Information on the Payer) Regula-
tions 2007, in relation to the EU Wire Transfer Regulation, and
schedule 7 to the Counter-Terrorism Act 2008.
FIU See ‘financial intelligence unit’.
four-eyes procedures Procedures that require the oversight of two people, to lessen the
risk of fraudulent behaviour, financial mismanagement or incom-
petence going unchecked.
Fourth Money Laundering Dir- The Fourth Money Laundering Directive (2015/849/EC). The UK has
ective (4MLD) implemented this Directive mainly through the Money Laundering
Regulations.
fraud (types of) Fraud can affect firms and their customers in many ways. The fol-
lowing are examples of fraud:
• a firm is defrauded by customers (e.g. mortgage fraud);
• a firm is defrauded by employees or contractors (‘in-
siders’) (e.g. a staff member steals from his employer and
amends records to cover-up the theft);
• a firm’s customers are defrauded by an insider (e.g. a staff
member steals customers’ money);
• a firm’s customers are defrauded after a third party mis-
leads the firm (e.g. criminals evade security measures to
gain access to a customer’s account);
• a firm’s customers are defrauded by a third party because
of the firm’s actions (e.g. the firm loses sensitive personal
data allowing the customer’s identity to be stolen);

Term Meaning
Annex • a customer is defrauded, with a firm executing payments
connected to this fraud on the customer’s instruction (e.g.
a customer asks his bank to transfer funds to what turns
out to be a share sale scam).
See also: ‘advance fee fraud’, ‘boiler room’, ‘carbon credit scams’,
‘investment fraud’, ‘land banking scams’, ‘long firm fraud’, ‘mass-
marketing fraud’, ‘Missing Trader Inter-Community fraud’, ‘Ponzi
and pyramid schemes’, ‘share sale fraud’.
Fraud Act 2006 The Fraud Act 2006 sets out a series of fraud offences such as
fraud by false representation, fraud by failing to disclose informa-
tion and fraud by abuse of position.
FSA See ‘Financial Services Authority’.
FSMA See ‘Financial Services and Markets Act 2000’.
FSRB See ‘FATF-style regional bodies’.
fuzzy matching The JMLSG suggests the term ‘fuzzy matching’ ‘describes any pro-
cess that identifies non-exact matches. Fuzzy matching software
solutions identify possible matches where data – whether in offi-
cial lists or in firms’ internal records – is misspelled, incomplete, or
missing. They are often tolerant of multinational and linguistic dif-
ferences in spelling, formats for dates of birth, and similar data. A
sophisticated system will have a variety of settings, enabling
greater or less fuzziness in the matching process’. See Part III of
the JMLSG’s guidance: http://www.jmlsg.org.uk/download/10007
Funds Transfer Regulation This EU Regulation is formally titled ‘Regulation (EU) 2015/847 of
the European Parliament and of the Council of 20 May 2015 on in-
formation accompanying transfers of funds’. It implements FATF’s
Recommendation 16 in the EU and requires firms to accompany
the transfer of funds with specified information identifying the
payer and the payee. We are given supervisory and enforcement
powers for compliance with this regulation by the Money Laun-
dering Regulations.
high-value dealer A firm trading in goods (e.g. cars, jewellery and antiques) that ac-
cepts cash of €10,000 or more in payment (whether in one go or
in several payments that appear to be linked). HMRC is the super-
visory authority for high value dealers. A full definition is set out
in Regulation 14(1)(a) of the Money Laundering Regulations.
HM Revenue and Customs HM Revenue and Customs has supervisory responsibilities under
(HMRC) the Money Laundering Regulations. It oversees money service busi-
nesses, dealers in high value goods, estate agents and trust or
company service providers, amongst others. See HMRC’s website
for more information: https://www.gov.uk/topic/business-tax/
money-laundering-regulations
HMRC See ‘HM Revenue and Customs’.
HMT See ‘Treasury’.
ICO See ‘Information Commissioner’s Office’.
ID Identification (or Identity Documents).
identification The JMLSG’s definition is: ‘ascertaining the name of, and other rel-
evant information about, a customer or beneficial owner’.
IFB Insurance Fraud Bureau.
Information Commissioner’s Of- The Information Commissioner’s Office is tasked with protecting
fice (ICO) the public’s personal information. See the ICO’s website for fur-
ther information: www.ico.org.uk

Term Meaning
Information From Lenders (IFL) The Information From Lenders scheme enables mortgage lenders Annex
to inform the FCA of suspected fraud by mortgage brokers. De-
tails are here: https://www.fca.org.uk/firms/fraud/report-mortgage-
fraud-advisers
insider fraud Fraud against a firm committed by an employee or group of em-
ployees. This can range from junior staff to senior management,
directors, etc. Insiders seeking to defraud their employer may
work alone, or with others outside the firm, including organised
criminals.
Institute of Chartered Account- The Institute of Chartered Accountants in England and Wales has
ants in England and Wales supervisory responsibility for its members under the Money Laun-
(ICAEW) dering Regulations, as do other professional bodies for account-
ants and book-keepers. See the ICAEW’s website for further in-
formation:www.icaew.com
integration See ‘placement, layering, integration’.
investment fraud UK-based investors lose money every year to share sale frauds and
other scams including, but not limited to, land-banking frauds,
Ponzi schemes, and rogue carbon credit schemes. See FCA’s
scamsmart, http://scamsmart.fca.org.uk/
JMLSG See ‘Joint Money Laundering Steering Group’.
Joint Money Laundering Steer- This industry body is made up of financial sector trade bodies. It
ing Group (JMLSG) produces guidance on compliance with legal and regulatory re-
quirements related to money laundering. See the JMLSG’s website
for more information: www.jmlsg.org.uk
Know Your Customer (KYC) This term is often used as a synonym for ‘customer due diligence’
checks. The term can also refer to suitability checks related to the
regulated sales of financial products. The Money Laundering Regu-
lations refer to ‘customer due diligence’ and not to KYC.
known close associate of a PEP Regulation 35(12)(c) of the Money Laundering Regulations defines
a known close associate of a PEP as being either an individual
known to have joint beneficial ownership of a legal entity or a
legal arrangement or any other close business relations with a PEP
or an individual who has sole beneficial ownership of a legal en-
tity or a legal arrangement which is known to have been set up
for the benefit of a PEP.
KYC See ‘Know Your Customer’.
land banking scams Land banking companies divide land into smaller plots to sell it to
investors on the basis that once it is available for development it
will soar in value. However, the land is often in rural areas, with
little chance of planning permission being granted. See: https://
www.fca.org.uk/consumers/land-banking-investment-schemes
layering See ‘placement, layering, integration’.
long firm fraud A fraud where an apparently legitimate company is established
and, over a period of time, builds up a good credit record with
wholesalers, paying promptly for modest transactions. Correspond-
ence from bankers may be used by them as evidence of good
standing. The company then places a large order, takes delivery,
but disappears without paying. This type of fraud is not limited to
wholesalers of physical goods: financial firms have been victim to
variants of this scam.
MLRO See ‘Money Laundering Reporting Officer’.
mass-marketing fraud Action Fraud (the UK’s national fraud reporting centre) says “Mass
marketing fraud is when you receive an uninvited contact by em-
ail, letter, phone or adverts, making false promises to con you out
of money.” Share sale fraud is a type of mass marketing fraud.

Term Meaning
Annex See: www.actionfraud.police.uk/types-of-fraud/mass-marketing-
fraud
Missing Trader Inter-Community This fraud exploits the EU system for rebating Value Added Tax
(MTIC) fraud payments in situations where goods have moved across borders
within the EU. National authorities are misled into giving rebates
to import-export companies that are not entitled to them.
money laundering The process by which the proceeds of crime are converted into as-
sets which appear to have a legitimate origin, so that they can be
retained permanently, or recycled to fund further crime.
Money Laundering Directive See ‘Fourth Money Laundering Directive’.
Money Laundering Reporting The MLRO is responsible for ensuring that measures to combat
Officer (MLRO) money laundering within the firm are effective. The MLRO is also
usually the ‘nominated officer’ under the Proceeds of Crime Act
(POCA).
The MLRO is a ‘controlled function’ under the Approved Persons
Regime and a ‘senior management function’ under the Senior
Managers and Certification Regime.
Market Abuse Regulation MAR, short for Market Abuse Regulation (EU No.596/2014),
(MAR) entered into force on 3 July 2016. It contains the civil offences of
insider dealing, unlawful disclosure of inside information and mar-
ket manipulation, in addition to provisions to prevent and detect
these offences.
Money Laundering Regulations The Money Laundering Regulations 2007 (SI 2007/2157) trans-
posed the Third Money Laundering Directive into UK law. The Re-
gulations require firms to take specified steps to detect and pre-
vent both money laundering and terrorist financing. The Money
Laundering Regulations 2007 were revoked and replaced by the
Money Laundering Regulations 2017.
Money Laundering Regulations The Money Laundering Regulations 2017 (SI 2017/692) transpose
2017 the requirements of the Third Fourth Money Laundering Directive
into UK law. The Regulations require firms to take specified steps
to detect and prevent both money laundering and terrorist
financing.
The Regulations identify the firms we supervise and impose on us
a duty to take measures to secure those firms’ compliance with
the Regulations’ requirements.
Money Laundering Reporting The MLRO is responsible for ensuring that measures to combat
Officer (MLRO) money laundering within the firm are effective. The MLRO is also
usually the ‘nominated officer’ under the Proceeds of Crime Act
(POCA).
The MLRO is a ‘controlled function’ under the Approved Persons
Regime and a ‘senior management function’ under the Senior
Managers and Certification Regime.
money service business (MSB) An undertaking that by way of business operates a currency ex-
change office, transmits money (or any representations of monet-
ary value) by any means or which cashes cheques which are made
payable to customers. (See Regulation 3(1) of the Money Laun-
dering Regulations.) Firms authorised under FSMA must inform us
if they provide MSB services. For more information about this, see:
https://www.fca.org.uk/firms/money-laundering-terrorist-financing/
reporting HM Revenue and Customs supervises the AML controls
of money service businesses that are not authorised under FSMA.
More information about registration with HMRC can be found on
its website:https://www.gov.uk/topic/business-tax/money-laun-
dering-regulations

Term Meaning
mortgage brokers, general in- Mortgage brokers, general insurers (including managing agents Annex
surers and general insurance in- and the Society of Lloyd’s) and general insurance intermediaries
termediaries are subject to the high-level regulatory requirement to counter
financial crime set out in SYSC 3.2.6R. However, they are not sub-
ject to the Money Laundering Regulations or the provisions of the
Handbook that specifically relate to money laundering (SYSC
3.2.6AR –SYSC 3.2.6JG).
Firms offering these services alongside other products that are sub-
ject to the Money Laundering Regulations (such as banking and
stock broking services) can therefore apply different customer due
diligence checks in both situations. But in practice, many will
choose to apply a consistent approach for the sake of operational
convenience.
MSB See ‘money service business’.
MTIC See ‘Missing Trader Inter-Community Fraud’.
National Crime Agency (NCA) The NCA leads the UK’s fight against serious and organised crime.
It became operational, replacing the Serious Organised Crime
Agency, in October 2013. For more information see the NCA’s web-
site:http://www.nationalcrimeagency.gov.uk/ .
NCA See ‘National Crime Agency’.
NCCT See ‘non-cooperative countries or territories’.
nominated officer Regulation 3(1) of the Money Laundering Regulations defines this
as “a person who is nominated to receive disclosures under Part 3
(terrorist property) of the Terrorism Act 2000 or Part 7 (money
laundering) of the Proceeds of Crime Act 2002”. See section 330
of POCA, Part 3 of the Terrorism Act 2000, and Regulation 21(3)
of the Money Laundering Regulations which requires all firms to
appoint a nominated officer.
non-cooperative countries and FATF can designate certain countries and territories as being non-
territories cooperative. This indicates severe weaknesses in anti-money laun-
dering arrangements in those jurisdictions. An up-to-date state-
ment can be found on the FATF website. The JMLSG has prepared
guidance for firms on how to judge the risks of conducting busi-
ness in different countries.
occasional transaction Any transaction (carried out other than as part of a business rela-
tionship) amounting to €15,000 or more, whether the transaction
is carried out in a single operation or several operations which ap-
pear to be linked. (See Regulation 27(2) of the Money Laundering
Regulations.)
Any transaction that amounts to a transfer of funds within the
meaning of article 3(9) of the Funds Transfer Regulation ex-
ceeding €1,000.
Office of Financial Sanctions Im- The Office of Financial Sanctions Implementation within HM Treas-
plementation (OFSI) ury is responsible for the implementation and administration of
the UK sanctions regime. See: https://www.gov.uk/government/or-
ganisations/office-of-financial-sanctions-implementation for more.
ongoing monitoring The Money Laundering Regulations require ongoing monitoring
of business relationships. This means that the transactions per-
formed by a customer, and other aspects of their behaviour, are
scrutinised throughout the course of their relationship with the
firm. The intention is to spot where a customer’s actions are incon-
sistent with what might be expected of a customer of that type,
given what is known about their business, risk profile etc. Where
the risk associated with the business relationship is increased,
firms must enhance their ongoing monitoring on a risk-sensitive

Term Meaning
Annex basis. Firms must also update the information they hold on cus-
tomers for anti-money laundering purposes.
payment institutions A ‘payment institution’ is a UK firm which is required under the
Payment Services Regulations 2017 (SI 2017/752) to be authorised
or registered in order to provide payment services in the UK. This
term is not used to describe payment service providers that are al-
ready authorised by us because they carry out regulated activities
(such as banks and e-money institutions) or that are exempt under
the Payment Services Regulations (such as credit unions). For more
information, see our publication. For the FCA’s approach to Pay-
ment institutions and e-money institutions under the Payment Ser-
vices Regulations and the Electronic Money Regulations, see
https://www.fca.org.uk/publication/finalised-guidance/fca-ap-
proach-payment-services-electronic-money-2017.pdf.
PEP See ‘politically exposed person’.
placement, layering, integration The three stages in a common model of money laundering. In the
placement stage, money generated from criminal activity (e.g.
funds from the illegal import of narcotics) is first introduced to
the financial system. The layering phase sees the launderer en-
tering into a series of transactions (e.g. buying, and then cancel-
ling, an insurance policy) designed to conceal the illicit origins of
the funds. Once the funds are so far removed from their criminal
source that it is not feasible for the authorities to trace their ori-
gins, the integration stage allows the funds to be treated as os-
tensibly ‘clean’ money.
POCA See ‘Proceeds of Crime Act 2002’.
politically exposed person (PEP) A person entrusted with a prominent public function. See Regula-
tion 35 of the Money Laundering Regulations and Finalised Guid-
ance ‘FG17/16: The treatment of politically exposed persons for
anti-money laundering purposes’ https://www.fca.org.uk/publica-
tions/finalised-guidance/fg17-6-treatment-politically-exposed-per-
sons-peps-money-laundering.
Ponzi and pyramid schemes Ponzi and pyramid schemes promise investors high returns or divi-
dends not usually available through traditional investments. While
they may meet this promise to early investors, people who invest
in the scheme later usually lose their money; these schemes col-
lapse when the unsustainable supply of new investors dries up. In-
vestors usually find most or all of their money is gone, and the
fraudsters who set up the scheme have disappeared.
Proceeds of Crime Act 2002 POCA criminalises all forms of money laundering and creates
(POCA) other offences such as failing to report a suspicion of money laun-
dering and ‘tipping off’.
Production Order The Proceeds of Crime Act 2002 allows Financial Investigators to
use production orders to obtain information from financial firms
about an individual’s financial affairs.
Proliferation finance Funding the proliferation of weapons of mass destruction in con-
travention of international law.
pyramid schemes See ‘Ponzi and pyramid schemes’.
Recognised investment ex- To be recognised under FSMA, exchanges and clearing houses
changes, and recognised clear- must, among other things, adopt appropriate measures to:
ing houses • reduce the extent to which their facilities can be used for
a purpose connected with market abuse or financial
crime; and
• monitor the incidence of market abuse or financial crime,
and facilitate its detection.

Term Meaning
Measures should include the monitoring of transactions. This is set Annex
out REC, which contains our guidance on our interpretation of
the recognition requirements. It also explains the factors we may
consider when assessing a recognised body’s compliance with the
requirements. Regulation 7(1)(a)(vii) of the Money Laundering Re-
gulations confers supervisory functions on the FCA to oversee reco-
gnised investment exchanges’ compliance with requirements im-
posed on them by those regulations.
reliance The Money Laundering Regulations allow a firm to rely on cus-
tomer due diligence checks performed by others. However, there
are many limitations on how this can be done. First, the relying
firm remains liable for any failure to apply these checks. Second,
the firm being relied upon must give its consent. Third, the law
sets out exactly what kinds of firms may be relied upon. See Regu-
lation 39 of the Money Laundering Regulations and the JMLSG
guidance for more detail.
safe deposit boxes The FCA is responsible for supervising anti-money laundering con-
trols of safe custody services; this includes the provision of safe de-
posit boxes.
sanctions See ‘financial sanctions regime’.
SAR See ‘Suspicious Activity Report’.
Senior Management Arrange- See ‘SYSC’.
ments, Systems and Controls
sourcebook
share sale fraud Share scams are often run from ‘boiler rooms’ where fraudsters
cold-call investors offering them often worthless, overpriced or
even non-existent shares. While they promise high returns, those
who invest usually end up losing their money. We have found vic-
tims of boiler rooms lose an average of £20,000 to these scams,
with as much as £200m lost in the UK each year. Even seasoned in-
vestors have been caught out, with the biggest individual loss re-
corded by the police being £6m. We receive almost 5,000 calls
each year from people who think they are victims of boiler room
fraud. See: http://scamsmart.fca.org.uk
simplified due diligence (SDD) Regulation 37 of the Money Laundering Regulations allows firms,
where they assess that a business relationship or transaction pre-
sents a low degree of risk of money laundering or terrorist finan-
cing. This regulation sets out a series of factors firms should con-
sider when determining this risk.
SDD does not exempt firms from applying CDD measures but per-
mits them to adjust the extent, timing or type of the measures it
undertakes to reflect the lower risk it has assessed. A firm is re-
quired to carry out sufficient monitoring of any business relation-
ships or transactions which are subject to those measures to en-
able it to detect any unusual or suspicious transactions.
Solicitors Regulation Authority The Solicitors Regulation Authority has supervisory responsibility
(SRA) for solicitors under the Money Laundering Regulations. The Bar
Council and other professional bodies for the legal sector perform
a similar role for their members. See www.sra.org.uk for more in-
formation.
Special Recommendations See ‘FATF Special Recommendations’.
source of funds and source of ‘Source of wealth’ describes how a customer or beneficial owner
wealth acquired their total wealth.
‘Source of funds’ refers to the origin of the funds involved in the
business relationship or occasional transaction. It refers to the ac-
tivity that generated the funds, for example salary payments or

Term Meaning
Annex sale proceeds, as well as the means through which the customer’s
or beneficial owner’s funds were transferred.
SRA See ‘Solicitors Regulation Authority’.
STOR See ‘Suspicious Transaction and Order Report’.
Suspicious Activity Report (SAR) A report made to the NCA about suspicions of money laundering
or terrorist financing. This is commonly known as a ‘SAR’. See also
‘Suspicious Transaction Report’.
Suspicious Transaction and Or- A report made to the FCA in accordance with articles 16(1) and
der Report (STOR) 16(2) of the Market Abuse Regulation about any suspicious order
or transaction. For more see: https://www.fca.org.uk/markets/mar-
ket-abuse/suspicious-transaction-order-reports/stor-supervisory-
priorities
SWIFT SWIFT (the Society for Worldwide Interbank Financial Telecommu-
nication) provides the international system used by banks to send
the messages that effect interbank payments.
SYSC SYSC is the Senior Management Arrangements, Systems and Con-
trols sourcebook of the Handbook. It sets out the responsibilities
of directors and senior management. SYSC includes rules and guid-
ance about firms’ anti-financial crime systems and controls. These
impose obligations to establish and maintain effective systems
and controls for countering the risk that the firm might be used
to further financial crime’ (see SYSC 6.1.1R, or for insurers, man-
aging agents and Lloyd’s, SYSC 3.2.6R).
SYSC 6.3 contains anti-money laundering specific rules and guid-
ance. These provisions are also set out in SYSC 3.2.6AR to SYSC
3.2.6JG as they apply to certain insurers, managing agents and
Lloyd’s. These money laundering specific provisions of SYSC do not
apply to mortgage brokers, general insurers and general insur-
ance intermediaries.
terrorist finance The provision of funds or other assets to support a terrorist ideo-
logy, a terrorist infrastructure or individual operations. It applies
to domestic and international terrorism.
TF Terrorist financing (also ‘CTF’).
third party ‘Third party’ is a term often used to refer to entities that are in-
volved in a business or other transaction but are neither the firm
nor its customer. Where a third party acts on a firm’s behalf, it
might expose the firm to financial crime risk.
tipping off The offence of tipping off is committed where a person discloses
that:
• any person has made a report under the Proceeds of
Crime Act 2002 to the Police, HM Revenue and Customs
or the NCA concerning money laundering, where that dis-
closure is likely to prejudice any investigation into the re-
port; or
• an investigation into allegations that an offence of
money laundering has been committed, is being contem-
plated or is being carried out.
See section 333A of the Proceeds of Crime Act 2002. A similar of-
fence exists in relation to terrorism (including terrorism financing)
by virtue of section 21D of the Terrorism Act 2000.
trade sanctions Government restrictions on the import or export of certain goods
and services, often to or from specific countries, to advance for-
eign policy objectives. See ‘economic sanctions’.

Term Meaning
Treasury The Treasury is the UK government’s AML policy lead. It also imple- Annex
ments the UK’s financial sanctions regime through OFSI.
trust or company service A formal legal definition of ‘trust or company service provider’ is
provision given in Regulation 12(2) of the Money Laundering Regulations. A
simple definition might be ‘an enterprise whose business creates,
or enables the creation of, trusts and companies on behalf of
others for a fee’. International standard setters have judged that
such services can be abused by those seeking to set up corporate
entities designed to disguise the true origins of illicit funds.
The firms we authorise must inform us if they provide trust or
company services. For more information about this, see: https://
www.fca.org.uk/firms/money-laundering-terrorist-financing/
reporting
Trust or company service providers that are not authorised by us
have their anti-money laundering controls supervised by HM Rev-
enue and Customs. More information can be found at its website:
https://www.gov.uk/topic/business-tax/money-laundering-re-
gulations
verification Making sure the customer or beneficial owner is who they claim
to be. Regulation 28 of the Money Laundering Regulations re-
quires the customer’s identity to be verified on the basis of docu-
ments or information in either case obtained from a reliable
source which is independent of the person whose identity is being
verified. This includes documents issued or made available by an
official body even if they are provided or made available to the
firm by or on behalf of the customer. It also refers to checking any
beneficial owner in a way that the firm is satisfied that it knows
who the beneficial owner is; see Regulation 5 of the Money Laun-
dering Regulations.
Wolfsberg Group An association of global banks, including UK institutions, which
aims to ‘develop financial services industry standards, and related
products, for Know Your Customer, Anti-Money Laundering and
Counter Terrorist Financing policies’. See its website for more:
www.wolfsberg-principles.com

Annex

Financial Crime Guide

Uploaded by

Copyright:

Available Formats

Financial Crime Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Financial Crime Guide

Uploaded by

Copyright:

Available Formats

Financial Crime Guide:

Financial Crime Guide: A firm’s guide to countering

1.1 What is the FCG?

FCG 2 Financial crime systems and controls

FCG 3 Money laundering and terrorist ﬁnancing

FCG 5 Data security

FCG 6 Bribery and corruption

FC–i www.handbook.fca.org.uk ■ Release 36 ● Feb 2019

6.4 Sources of further information

FCG 7 Sanctions and asset freezes

FCG 8 Insider dealing and market manipulation

FCG Annex Common terms

■ Release 36 ● Feb 2019 www.handbook.fca.org.uk FC–ii

FC–iii www.handbook.fca.org.uk ■ Release 36 ● Feb 2019

■ Release 36 ● Feb 2019 www.handbook.fca.org.uk FCG 1/1

•Principles 1 (integrity), 2 (skill, care and diligence), 3 (management

•the Statements of Principle for Approved Persons set out in

•in relation to guidance on money laundering, the rules in

FCG 1/2 www.handbook.fca.org.uk ■ Release 36 ● Feb 2019

■ Release 36 ● Feb 2019 www.handbook.fca.org.uk FCG 1/3

•‘must’ where provisions are mandatory because they are required by

•‘should’ to describe how we would normally expect a firm to meet

•‘may’ to describe examples of good practice that go beyond basic

•We say in ■ FCG 2.2.1G (Governance) that senior management should

•We ask in ■ FCG 3.2.5G (Ongoing monitoring) how a firm monitors

FCG 1/4 www.handbook.fca.org.uk ■ Release 36 ● Feb 2019

Financial crime: a guide for firms

•These questions will help you to consider whether your firm’s

•The FCA may follow similar lines of inquiry when discussing

•The questions draw attention to some of the key points firms

Examples of good practice Examples of poor practice

Case studies and other information

■ Release 36 ● Feb 2019 www.handbook.fca.org.uk FCG 1/5

1.4.1 Where to find out more:

•Most sections close with some sources of further information..

•This includes cross-references to relevant guidance in FCTR.

•It also includes links to external websites and materials. Although

FCG 1/6 www.handbook.fca.org.uk ■ Release 36 ● Feb 2019

Financial crime systems and

■ Release 36 ● Feb 2019 www.handbook.fca.org.uk FCG 2/1

FCG 2/2 www.handbook.fca.org.uk ■ Release 36 ● Feb 2019

•When did senior management, including the board or appropriate

•How are senior management kept up to date on financial crime

Examples of good practice Examples of poor practice

■ Release 36 ● Feb 2019 www.handbook.fca.org.uk FCG 2/3

Management information (MI)

•an overview of the financial crime risks to which the firm is

•legal and regulatory developments and the impact these have on

•an overview of the effectiveness of the firm’s financial crime systems

•an overview of staff expenses, gifts and hospitality and charitable

•relevant information about individual business relationships, for

•Who has ultimate responsibility for financial crime matters,

FCG 2/4 www.handbook.fca.org.uk ■ Release 36 ● Feb 2019

•Does the structure promote a coordinated approach and

•Are the firm’s financial crime teams adequately resourced to carry

•In smaller firms: do those with financial crime responsibilities have

Examples of good practice Examples of poor practice

•be comprehensive and consider a wide range of factors – it is not

•draw on a wide range of relevant information – it is not normally