FCG 3.2 Themes

Governance

FCG 3.2.1

1The guidance in FCG 2.2.1G on governance in relation to financial crime also applies to money laundering. We expect senior management to take responsibility for the firm’s anti-money laundering (AML) measures. This includes knowing about the money laundering risks to which the firm is exposed and ensuring that steps are taken to mitigate those risks effectively.

Regulation 21(1)(a) of the Money Laundering Regulations requires that where appropriate with regard to the size and nature of its business, firms subject to the regulations must appoint one individual who is a member of its board of directors (or if there is no board, of its equivalent management body) or of its senior management as the officer responsible for compliance with the regulations. Regulation 21(3) also requires the appointment of a nominated officer. Regulation 21(4) requires a firm to inform their supervisory authority of the identity of the individual appointed (including any subsequent appointments) within 14 days of such appointment.

As SYSC 6.3.9R and SYSC 3.2.6IR also require firms subject to those provisions to have an MLRO, the FCA expects that this individual can be the same individual appointed under Regulation 21(1)(a) and/or 21(3) of the Money Laundering Regulations and so firms do not need to make a separate notification to the FCA.

Self-assessment questions:

  1. • Who has overall responsibility for establishing and maintaining effective AML controls? Are they sufficiently senior?

  2. • What are the reporting lines?

  3. • Do senior management receive informative, objective information that is sufficient to enable them to meet their AML obligations?

  4. • How regularly do senior management commission reports from the MLRO? (This should be at least annually.) What do they do with the reports they receive? What follow-up is there on any recommendations the MLRO makes?

  5. • How are senior management involved in approving relationships with high risk customers, including politically exposed persons (PEPs)?

  6. Examples of good practice

    Examples of poor practice

    Reward structures take account of any failings related to AML compliance.

    There is little evidence that AML is taken seriously by senior management. It is seen as a legal or regulatory necessity rather than a matter of true concern for the business.

    Decisions on accepting or maintaining high money laundering risk relationships are reviewed and challenged independently of the business relationship and escalated to senior management or committees.

    Senior management attach greater importance to the risk that a customer might be involved in a public scandal, than to the risk that the customer might be corrupt or otherwise engaged in financial crime.

    Documentation provided to senior management to inform decisions about entering or maintaining a business relationship provides an accurate picture of the risk to which the firm would be exposed if the business relationship were established or maintained.

    The board never considers MLRO reports.

    A UK parent undertaking meets the obligations under Regulation 20 of the Money Laundering Regulations including ensuring that AML policies, controls and procedures apply to all its branches and subsidiaries outside the UK.

    A UK branch or subsidiary uses group policies which do not comply fully with UK AML legislation and regulatory requirements.

The Money Laundering Reporting Officer (MLRO)

FCG 3.2.2

1This section applies to firms who are subject to the money laundering provisions in SYSC 3.2.6A – J or SYSC 6.3, except it does not apply to sole traders who have no employees.

Firms to which this section applies must appoint an individual as MLRO. The MLRO is responsible for oversight of the firm’s compliance with its anti-money laundering obligations and should act as a focal point for the firm’s AML activity. Regulation 21(1)(a) of the Money Laundering Regulations also requires the appointment of a senior manager as the officer responsible for the relevant person’s compliance with these regulations. Where appropriate, this section can be relevant to how that person meets their obligations under the Money Laundering Regulations. If the MLRO meets the requirements in regulation 21(1)(a) and (3), firms need not make a separate notification to us.3

Self-assessment questions:

  1. • Does the MLRO have sufficient resources, experience, access and seniority to carry out their role effectively?

  2. • Do the firm’s staff, including its senior management, consult the MLRO on matters relating to money-laundering?

  3. • Does the MLRO escalate relevant matters to senior management and, where appropriate, the board?

  4. • What awareness and oversight does the MLRO have of the highest risk relationships?

  5. Examples of good practice

    Examples of poor practice

    The MLRO is independent, knowledgeable, robust and well-resourced, and poses effective challenge to the business where warranted.

    The MLRO lacks credibility and authority, whether because of inexperience or lack of seniority.

    The MLRO has a direct reporting line to executive management or the board.

    The MLRO does not understand the policies they are supposed to oversee or the rationale behind them.

    The MLRO of a firm which is a member of a group has not considered whether group policy adequately addresses UK AML obligations.

    The MLRO is unable to retrieve information about the firm’s high-risk customers on request and without delay and plays no role in monitoring such relationships.

See SYSC 3.2.6IR and SYSC 6.3.9R.

Risk assessment

FCG 3.2.3

1The guidance in FCG 2.2.4G and FCG 7.2.5G on risk assessment in relation to financial crime and proliferation financing (PF) also applies3.

The assessment of financial crime and PF risk is at the core of the firm’s AML, counter-terrorist financing (CTF) and PF effort and is essential to the development of effective AML/CTF/PF3 policies and procedures. A firm is required by Regulation 18 of the Money Laundering Regulations to undertake a risk assessment. This also includes a risk assessment by relevant persons in relation to PF as set out in Regulation 18A of those regulations.3

Firms must therefore put in place systems and controls to identify, assess, monitor and manage money laundering, terrorist financing and PF3 risk. These systems and controls must be comprehensive and proportionate to the nature, scale and complexity of a firm’s activities. Firms must regularly review their risk assessment to ensure it remains current.

Under section 188 of the Economic Crime and Corporate Transparency Act 2023, firms are able to share information with one another for the purpose of preventing, detecting and investigating economic crime. Regulated firms should use this information to assist with their risk-based decision making and should not share it for commercial reasons or to provide sectors with additional powers to exclude customers inappropriately. Firms must also consider their obligations under the General data protection regulation.3

Self-assessment questions:

  1. • Which parts of the business present greater risks of money laundering, terrorist financing and PF3? (Has your firm identified the risks associated with different types of customers or beneficial owners, products, services, activities, transactions, business lines, geographical locations and delivery channels3 (e.g. internet, telephone, branches)? Has it assessed the extent to which these risks are likely to be an issue for the firm?)

  2. • How does the risk assessment inform your day-to-day operations? (For example, is there evidence that it informs the level of customer due diligence you apply or your decisions about accepting or maintaining relationships?)

  3. • For cryptoasset businesses, how do you assess and address the risks of different types of cryptoasset (e.g. anonymity-enhanced or privacy coins)?3

  4. Examples of good practice

    Examples of poor practice

    There is evidence that the firm’s risk assessment informs the design of anti-money laundering controls.

    An inappropriate risk classification system makes it almost impossible for a relationship to be classified as ‘high risk’.

    The firm has identified good sources of information on money laundering, terrorist financing and PF risks, such as National Risk Assessments,3 FATF mutual evaluations and typology reports, NCA alerts, press reports, court judgements, reports by non-governmental organisations and commercial due diligence providers.

    Higher risk countries are allocated low-risk scores to avoid enhanced due diligence measures.

    Consideration of money laundering, terrorist financing and PF3 risk associated with individual business relationships takes account of factors such as:

    Relationship managers are able to override customer risk scores without sufficient evidence to support their decision.

    company structures;

    political connections;

    country risk;

    the customer’s or beneficial owner’s reputation;

    source of wealth;

    source of funds;

    expected account activity;

    factors relating to the customer’s countries or geographic areas of operations;

    products and services;

    transactions;

    delivery channels;

    sector risk; and

    involvement in public contracts.

    The firm identifies where there is a risk that a relationship manager might become too close to customers to identify and take an objective view of the money laundering risk. It manages that risk effectively.

    Risk assessments on money laundering are unduly influenced by the potential profitability of new or existing relationships.

    The firm cannot evidence why customers are rated as high, medium or low risk.

    A UK branch or subsidiary relies on group risk assessments without assessing their compliance with UK AML requirements.

    The firm engages with public-private partnerships and private-private partnerships to gather insights on the latest financial crime typologies and additional controls that might be relevant and shares its own best practice examples.

See regulation 18 of the Money Laundering Regulations, SYSC 3.2.6AR, SYSC 3.2.6CR, SYSC 6.3.1R and SYSC 6.3.3R.

Customer due diligence (CDD) checks

FCG 3.2.4

1Firms must identify their customers and, where applicable, their beneficial owners, and then verify their identities. Firms must also understand the purpose and intended nature of the customer’s relationship with the firm and collect information about the customer and, where relevant, beneficial owner. This should be sufficient to obtain a complete picture of the risk associated with the business relationship and provide a meaningful basis for subsequent monitoring.

Firms should note that CDD measures also apply when contacting an existing customer as part of any legal duty in the course of a calendar year for the purpose of reviewing information which is relevant to the risk assessment of the customer, and relates to beneficial ownership of the customer.2

Firms should also note that CDD measures must also be applied when the relevant person has to contact an existing customer in order to fulfil any duty under the International Tax Compliance Regulations 2015.2

CDD measures must also include taking reasonable steps to understand the ownership and control structure of a customer where the customer is a legal person, trust, company, foundation or similar legal arrangement.2

Firms are required to keep written records in circumstances where all possible means of identifying the beneficial owner of a body corporate have been taken and the beneficial owner cannot be identified satisfactorily or at all. In circumstances where the beneficial owner of a body corporate cannot be identified, reasonable measures must be taken to verify the identity of the senior person in the body corporate responsible for managing it. In doing so, firms should keep written records made of the actions taken and any difficulties encountered.2

Firms are required to collect proof of company registration (or an excerpt from the register) before establishing a business relationship with certain legal entities including a company subject to the requirements of Part 21A of the Companies Act 2006, a limited liability partnership or an eligible Scottish partnership. Firms are required to report to Companies House discrepancies between this information and information which otherwise becomes available to them in the course of complying with the Money Laundering Regulations. Firms may wish to refer to further guidance from the Companies House. 2

In situations where the money laundering risk associated with the business relationship is increased, banks must carry out additional, enhanced due diligence (EDD). FCG 3.2.8G below considers enhanced due diligence.

Where a firm cannot apply customer due diligence measures, including where a firm cannot be satisfied that it knows who the beneficial owner is, it must not enter into, or continue, the business relationship.

Firms should note that an electronic identification process may be regarded as a reliable source for the purposes of CDD verification where that process is independent of the person whose identity is being verified, secure from fraud and misuse and capable of providing an appropriate level of assurance that the person claiming a particular identity is in fact that person with that identity.2

Self-assessment questions:

  1. • Does your firm apply customer due diligence procedures in a risk-sensitive way?

  2. • Do your CDD processes provide you with a comprehensive understanding of the risk associated with individual business relationships?

  3. • How does the firm identify the customer’s beneficial owner(s)? Are you satisfied that your firm takes risk-based and adequate steps to verify the beneficial owner’s identity in all cases? Do you understand the rationale for beneficial owners using complex corporate structures?

  4. • Are procedures sufficiently flexible to cope with customers who cannot provide more common forms of identification (ID)?

  5. • With non-face-to-face transactions, how does your firm’s approach provide confidence that the person is who they claim to be? How do you test any technology used as part of onboarding?

  6. Examples of good practice

    Examples of poor practice

    A firm which uses e.g. electronic verification checks or PEPs databases understands their capabilities and limitations.

    Procedures are not risk-based: the firm applies the same CDD measures to products and customers of varying risk.

    The firm can cater for customers who lack common forms of ID (such as the socially excluded, those in care, etc).

    The firm has no method for tracking whether checks on customers are complete.

    The firm understands and documents the ownership and control structures (including the reasons for any complex or opaque corporate structures) of customers and their beneficial owners.

    The firm allows language difficulties or customer objections to get in the way of proper questioning to obtain necessary CDD information.

    The firm obtains information about the purpose and nature of the business relationship sufficient to be satisfied that it understands the associated money laundering risk.

    Staff do less CDD because a customer is referred by senior executives or influential people.

    Staff who approve new or ongoing business relationships satisfy themselves that the firm has obtained adequate CDD information before doing so.

    The firm has no procedures for dealing with situations requiring enhanced due diligence. This breaches the Money Laundering Regulations.

    The firm fails to consider:

    any individuals who ultimately control more than 25% of shares or voting rights of a corporate customer;

    any individuals who exercise control over the management of a corporate customer; and

    any individuals who control the body corporate

    when identifying and verifying the customer’s beneficial owners. This breaches the Money Laundering Regulations.

See regulations 5, 6, 27, 28, 30A, 31,2 33, 34 and 35 of the Money Laundering Regulations.

Ongoing monitoring

FCG 3.2.5

1A firm must conduct ongoing monitoring of its business relationships on a risk-sensitive basis. Ongoing monitoring means scrutinising transactions to ensure that they are consistent with what the firm knows about the customer, and taking steps to ensure that the firm’s knowledge about the business relationship remains current. As part of this, firms must keep documents, data and information obtained in the CDD context (including information about the purpose and intended nature of the business relationship) up to date. It must apply CDD measures where it doubts the truth or adequacy of previously obtained documents, data or information (see FCG 3.2.4G).

Where the risk associated with the business relationship is increased, firms must carry out enhanced ongoing monitoring of the business relationship. FCG 3.2.9G provides guidance on enhanced ongoing monitoring.

Self-assessment questions:

  1. • How are transactions monitored to spot potential money laundering? Are you satisfied that your monitoring (whether automatic, manual or both) is adequate and effective considering such factors as the size, nature and complexity of your business?

  2. • Does the firm challenge unusual activity and explanations provided by the customer where appropriate?

  3. • How are unusual transactions reviewed? (Many alerts will be false alarms, particularly when generated by automated systems. How does your firm decide whether behaviour really is suspicious?)

  4. • How do you feed the findings from monitoring back into the customer’s risk profile?

  5. • Do you frequently review the monitoring system rules and typologies for effectiveness? Do you understand the threshold and rule rationales?

  6. Examples of good practice

    Examples of poor practice

    A large retail firm complements its other efforts to spot potential money laundering by using an automated system to monitor transactions

    The firm fails to take adequate measures to understand the risk associated with the business relationship and is therefore unable to conduct meaningful monitoring.

    Where a firm uses automated transaction monitoring systems, it understands their capabilities and limitations.

    The MLRO can provide little evidence that unusual transactions are brought to their attention.

    Small firms are able to apply credible manual procedures to scrutinise customers’ behaviour.

    Staff always accept a customer’s explanation for unusual transactions at face value and do not probe further.

    The ‘rules’ underpinning monitoring systems are understood by the relevant staff and updated to reflect new trends.

    The firm does not take risk-sensitive measures to ensure CDD information is up to date. This is a breach of the Money Laundering Regulations.

    The firm uses monitoring results to find out3 whether CDD remains adequate.

    A cryptoasset business assumes that blockchain analysis is all that is required to monitor transactions and fails to do its own transaction monitoring based on the knowledge of its customers or relying on off-chain information.3

    The firm takes advantage of customer contact as an opportunity to update due diligence information.

    • The firm’s measures fail to conduct a full assessment of the risk. For instance, the firm does not consider changes in the nature of the relationship or expected activities.3

    The firm demonstrates a risk-based approach following a monitoring event. This could include implementing regular periodic reviews and having procedures for event-driven reviews.

    Customer-facing staff are engaged with, but do not control, the ongoing monitoring of relationships.

    The firm updates CDD information and reassesses the risk associated with the business relationship where monitoring indicates material changes to a customer’s profile.

See regulations 27, 28(11), 33, 34 of the Money Laundering Regulations.

The use of transaction monitoring

FCG 3.2.5A

3This section is relevant to a firm using transaction monitoring as part of its ongoing monitoring efforts to detect money laundering, financing of terrorism and proliferation financing (see FCG 3.2.5G (Ongoing monitoring)). This could be relevant to firms serving either retail or wholesale customers.

To date, many large institutions have used transaction monitoring systems that work on a transaction-by-transaction or unusual transaction basis, or combination of the two, flagging fund movements that exceed rule-driven thresholds for human scrutiny. We understand that more sophisticated approaches show potential in this area, and can be used to take a more rounded view of customer behaviour – for example, showing how the customer fits into broader networks of activity. Examples of such sophisticated technologies include the use of machine learning tools or tools based on artificial intelligence to detect suspicious activity or triage existing alerts.

This section applies to the use of both automated and manual transaction monitoring, unless specified otherwise.

Self-assessment questions:

  1. • Do you understand the effectiveness of your automated monitoring in different business areas?

  2. • What actions have been taken to mitigate shortcomings that have been identified in business areas?

  3. • What consideration has been given to alternative varieties of automated monitoring, including the use of novel approaches?

  4. • Where a firm uses automated methods for triaging alerts generated by threshold-driven transaction-monitoring systems (e.g. scorecards overlaid on existing systems or other systems to prioritise which alerts receive manual attention), can this be justified within the context of the firm’s overall approach to monitoring?

  5. Examples of good practice

    Examples of poor practice

    New approaches are piloted or subject to evaluation periods, with firms able to demonstrate appropriate testing.

    Monitoring arrangements (whether automated or manual or both) seek to take a holistic view of customer behaviour and draw on a range of data, rather than just transaction-by-transaction analysis.

    The control framework around automated monitoring is weak. For example, senior management have an unrealistic expectation of what automated monitoring systems are feasibly able to achieve, while manual scrutiny of alerts lacks resources and is unable to cope.

    Monitoring is applied, where appropriate, at multiple levels of aggregation:

    Threshold-based transaction monitoring approaches are used in situations where they are not suitable, while other methods of scrutiny (such as oversight of customers by relationship managers) are neglected.

    transaction level (the lowest);

    account level (the aggregate of transactions for an account);

    customer level (the aggregate of accounts for a specific customer); and

    linked-entity level (i.e. across a group of linked customers by relationship managers).

    When decommissioning an existing automated system (or aspects of that system, such as particular rule sets), a firm is able to justify this decision. Consideration may be given to, for example, the relative merits of other approaches (including manual approaches), the systems’ resource implications, and the systems’ performance outcomes (such as the intelligence-value of alerts and the proportion of ‘false positives’).

    A threshold-based, rule-driven transaction monitoring system is used but is poorly calibrated and the firm struggles to articulate the rationale for particular rules and scenarios.

    Before a new system replaces an existing one, a robust judgement is formed about the relative usefulness of both systems. While each system may not flag all the same events, the firm is able to demonstrate that one approach produces better quality alerts overall.

    Data fed into an automated system is not migrated smoothly when feeder systems are modified or upgraded or transactions from a specific system have been erroneously omitted from the transaction monitoring system.

    A firm explores the use of new approaches to automated monitoring (e.g. network analysis or machine learning). Consideration is given to the limitations of these approaches and how any resultant risks can be contained. (For example, it will not be clear to operators of more free-form varieties of machine learning why the software has made its recommendations, which can pose ethical and audit challenges.)

    The firm tailors the monitoring system rules to its business, risk and relevant typologies. The system and rules are tested and reviewed for right outcomes

    The firm uses a transaction monitoring system with set rules (which could include use of off-the-shelf systems) and does not calibrate these to the firms’ individual needs or review them regularly for efficiency.

    The firm practices good record keeping. For example, records of decision making and rationales for thresholds are documented and accessible.

    Where a firm learns that criminals have abused its facilities, a review is performed to learn how monitoring methods could be improved to lessen the risk of recurrence.

    Where a firm learns that criminals have abused its facilities, a review is performed to learn how monitoring methods could be improved to lessen the risk of recurrence.

    A firm does not check that a counterparty firm is monitoring customer activity.

    A firm using an automated system keeps records of how the system has been trained. It records the process for making adjustments and how the interpretable model can be maintained.

    A firm using an automated system lacks an understanding of what the system is detecting and why. This may be because of, for example, staff turnover, poor documentation or weak communication with the system’s vendor.

See regulations 27, 28(11), 33 and 34 of the Money Laundering Regulations.

Case study – transaction monitoring

FCG 3.2.5B

3The FCA found that 3 key parts of HSBC’s transaction monitoring systems showed serious weaknesses over an extended period of several years. The systems were ineffective and not sufficiently risk sensitive for a prolonged period. They exposed the bank and community to avoidable risks.

In particular, the bank failed to:

  1. • consider whether the scenarios used to identify indicators of money laundering or terrorist financing covered relevant risks;

  2. • carry out timely risk assessments for new scenarios;

  3. • appropriately test and update the parameters within the systems that were used to determine whether a transaction was indicative of potentially suspicious activity. There was a failure to understand those rules and certain thresholds set made it almost impossible for the relevant scenarios to identify potentially suspicious activity; and

  4. • check the accuracy and completeness of the data being fed into, and contained within, monitoring systems. This resulted in millions of transactions worth billions of pounds that were either monitored incorrectly or not at all.

The FCA imposed a financial penalty of £63,946,800.

See the FCA’s press release: www.fca.org.uk/news/press-releases/fca-fines-hsbc-bank-plc-deficient-transaction-monitoring-controls.

Source of wealth and source of funds

FCG 3.2.6

1Establishing the source of funds and the source of wealth can be useful for ongoing monitoring and due diligence purposes because it can help firms ascertain whether the level and type of transaction is consistent with the firm’s knowledge of the customer. It is a requirement where the customer is a PEP.

‘Source of wealth’ describes how a customer or beneficial owner acquired their total wealth.

‘Source of funds’ refers to the origin of the funds involved in the business relationship or occasional transaction. It refers to the activity that generated the funds, for example salary payments or sale proceeds, as well as the means through which the customer’s or beneficial owner’s funds were transferred.

The JMLSG’s guidance provides that, in situations where the risk of money laundering/terrorist financing is very low and subject to certain conditions, firms may assume that a payment drawn on an account in the customer’s name with a UK, EU or equivalent regulated credit institution satisfied the standard CDD requirements. This is sometimes referred to as ‘source of funds as evidence’ and is distinct from ‘source of funds’ in the context of Regulation 28(11) and Regulations 33 and 35 of the Money Laundering Regulations and of FCG. Nothing in FCG prevents the use of ‘source of funds as evidence’ in situations where this is appropriate.

Where the customer is either a PEP, a family member of a PEP or known close associate of a PEP, a firm may have regard to guidance issued by the FCA on the treatment of PEPs.

[Editor’s Note: see https://www.fca.org.uk/publications/finalised-guidance/fg17-6-treatment-politically-exposed-persons-peps-money-laundering.]

Handling higher risk situations

FCG 3.2.7

1The law requires that firms’ anti-money laundering policies and procedures are sensitive to risks. This means that in higher risk situations, firms must apply enhanced due diligence and ongoing monitoring. Situations that present a higher money laundering risk might include, but are not restricted to: customers linked to higher risk countries or business sectors; or who have unnecessarily complex or opaque beneficial ownership structures; and transactions which are unusual, lack an obvious economic or lawful purpose, are complex or large or might lend themselves to anonymity.

Firms must take account of risk factors set out under regulation 33(6) which relate to customer risk, product risk and geographical risk when assessing whether there is a high risk of money laundering or terrorist financing in a particular situation and the extent of measures which should be taken to manage and mitigate that risk.2

The Money Laundering Regulations also set out some scenarios in which specific enhanced due diligence measures have to be applied:

  1. Correspondent relationships: where a correspondent credit institution or financial institution, involving the execution of payment, is from a third country (see regulation 34 of the Money Laundering Regulations), the UK credit or financial institution should apply both EDD measures in regulation 33 as well as additional measures outlined in regulation 343 commensurate to the risk of the relationship. This can include in higher risk situations thoroughly understanding its correspondent’s business, reputation, and the quality of its defences against money laundering and terrorist financing. Senior management must also give approval before establishing a new correspondent relationship. JMLSG guidance sets out how firms should apply EDD in differing correspondent trading relationships.

  2. Politically exposed persons (PEPs), family members and known close associates of a PEP: a PEP is a person entrusted with a prominent public function, other than as a middle-ranking or more junior official. PEPs (as well as their family members and known close associates) must be subject to enhanced scrutiny. A senior manager at an appropriate level of authority must also approve the initiation of a business relationship with a PEP (or with a family member, or known close associate, of a PEP). This includes approving a relationship continuing with an existing customer who became a PEP after the relationship begun. In meeting these obligations firms may have regard to the FCA’s guidance on a risk-based approach to PEPs.

  3. Business relationships or a ‘relevant transaction’ where either party is established in a high risk third country: the Money Laundering Regulations defines:2

    1. (a) a high-risk third country as a country named by FATF on its list of High-Risk Jurisdictions subject to a Call for Action or its list of Jurisdictions under Increased Monitoring;3

      2
    2. (b) a relevant transaction as being a transaction in relation to which the relevant person is required to apply customer due diligence under Regulation 27;2

    3. (c) established in a country in the case of a legal person as being the country of incorporation or principal place of business, or, in the case of a financial institution or credit institution, where its principal regulatory authority is.2

    In these scenarios, EDD must include specified measures which include obtaining additional information on the customer, the beneficial owner, the intended nature of the business relationship, source of funds and wealth, reasons for the transactions and senior management approval for the business relationship. Conducting enhanced monitoring is also a requirement.2

  4. Other transactions: EDD must be performed:

    1. (a)

      in any case where a transaction is complex or2 unusually large, or there is an unusual pattern of transactions, or2 the transaction or transactions have no apparent economic or legal purpose. In this scenario, there are specified EDD measures which must include, as far as reasonably possible, examining the background and purpose of the transaction and increasing the degree and nature of monitoring of the business relationship in which the transaction is made to determine whether that transaction or that relationship appears to be suspicious;2

    2. (b)

      in any other case which by its nature can present a higher risk of money laundering, proliferation financing or terrorist financing. This can include where there is evidence that a cryptoasset transaction has involved privacy-enhancing techniques or products such as ‘mixers’ or ‘tumblers’, privacy coins and transactions involving the use of self-hosted addresses, obfuscated ledger technology, ring signatures, stealth addresses, ring confidential transactions, atomic swaps and non-interactive zero knowledge proofs; and3

    3. (c)

      where findings from blockchain analysis indicates exposure to criminal or sanctioned activities.3

    Where the customer is the beneficiary of a life insurance policy, is a legal person or a legal arrangement, and presents a high risk of money laundering or terrorist financing for any other reason, credit and financial institutions must take reasonable measures to identify and verify the identity of the beneficial owners of that beneficiary before making a payment under the life insurance policy.2

The extent of enhanced due diligence measures that a firm undertakes can be determined on a risk-sensitive basis. The firm must be able to demonstrate that the extent of the enhanced due diligence measures it applies is commensurate with the money laundering and terrorist financing risks.

See regulations 19, 20, 21, 28(16), 33 and 34 of the Money Laundering Regulations.

Handling higher risk situations – enhanced due diligence (EDD)

FCG 3.2.8

1Firms must apply EDD measures in situations that present a higher risk of money laundering.

EDD should give firms a greater understanding of the customer and their associated risk than standard due diligence. It should provide more certainty that the customer and/or beneficial owner is who they say they are and that the purposes of the business relationship are legitimate; as well as increasing opportunities to identify and deal with concerns that they are not. FCG 3.2.3G considers risk assessment.

The extent of EDD must be commensurate to the risk associated with the business relationship or occasional transaction but firms can decide, in most cases, which aspects of CDD they should enhance. This will depend on the reason why a relationship or occasional transaction was classified as high risk.

Examples of EDD include:

  1. • obtaining more information about the customer’s or beneficial owner’s business

  2. • obtaining more robust verification of the beneficial owner’s identity based on information from a reliable and independent source

  3. • gaining a better understanding of the customer’s or beneficial owner’s reputation and/or role in public life and assessing how this affects the level of risk associated with the business relationship

  4. • carrying out searches on a corporate customer’s directors or other individuals exercising control to understand whether their business or integrity affects the level of risk associated with the business relationship

  5. • establishing how the customer or beneficial owner acquired their wealth to be satisfied that it is legitimate

  6. • establishing the source of the customer’s or beneficial owner’s funds to be satisfied that they do not constitute the proceeds from crime.

Self-assessment questions:

  1. • How does EDD differ from standard CDD? How are issues that are flagged during the due diligence process followed up and resolved? Is this adequately documented?

  2. • How is EDD information gathered, analysed, used and stored?

  3. • What involvement do senior management or committees have in approving high risk customers? What information do they receive to inform any decision-making in which they are involved?

  4. Examples of good practice

    Examples of poor practice

    The MLRO (and their team) have adequate oversight of all high risk relationships.

    Senior management do not give approval for taking on high risk customers. If the customer is a PEP or a non-EEA correspondent , this breaches the Money Laundering Regulations.

    The firm establishes the legitimacy of, and documents, the source of wealth and source of funds used in high risk business relationships.

    [deleted]

    Where money laundering risk is very high, the firm obtains independent internal or external intelligence reports.

    The firm does not distinguish between the customer’s source of funds and their source of wealth.

    When assessing EDD, the firm complements staff knowledge of the customer or beneficial owner with more objective information.

    The firm relies entirely on a single source of information for its enhanced due diligence.

    The firm is able to provide evidence that relevant information staff have about customers or beneficial owners is documented and challenged during the CDD process.

    A firm relies on intra-group introductions where overseas standards are not UK-equivalent or where due diligence data is inaccessible because of legal constraints.

    A member of a group satisfies itself that it is appropriate to rely on due diligence performed by other entities in the same group.

    The firm considers the credit risk posed by the customer, but not the money laundering risk.

    The firm proactively follows up gaps in, and updates, CDD of higher risk customers.

    The firm disregards allegations of the customer’s or beneficial owner’s criminal activity from reputable sources repeated over a sustained period of time.

    A correspondent bank seeks to identify PEPs associated with their respondents

    The firm ignores adverse allegations simply because customers hold a UK investment visa.

    . A correspondent bank takes a view on the strength of the AML regime in a respondent bank’s home country, drawing on discussions with the respondent, overseas regulators and other relevant bodies.

    A firm grants waivers from establishing source of funds, source of wealth or other due diligence without good reason.

    A correspondent bank gathers information about respondent banks’ procedures for sanctions screening, PEP identification and management, account monitoring and suspicious activity reporting.

    A correspondent bank conducts inadequate due diligence on parents and affiliates of respondents.

    A correspondent bank relies exclusively on the Wolfsberg Group AML questionnaire.

See regulations 33, 34, 34(1)(d), 35 and 35(5)(a) of the Money Laundering Regulations.

Handling higher risk situations – enhanced ongoing monitoring

FCG 3.2.9

1Firms must enhance their ongoing monitoring in higher risk situations.

Self-assessment questions:

  1. • How does your firm monitor its high risk business relationships? How does enhanced ongoing monitoring differ from ongoing monitoring of other business relationships?

  2. • Are reviews carried out independently of relationship managers?

  3. • What information do you store in the files of high risk customers? Is it useful? (Does it include risk assessment, verification evidence, expected account activity, profile of customer or business relationship and, where applicable, information about the ultimate beneficial owner?)

  4. Examples of good practice

    Examples of poor practice

    Key AML staff have a good understanding of, and easy access to, information about a bank’s highest risk customers.

    The firm treats annual reviews as a tick-box exercise and copies information from previous reviews without thought.

    New higher risk clients are more closely monitored to confirm or amend expected account activity.

    A firm in a group relies on others in the group to carry out monitoring without understanding what they did and what they found.

    Alert thresholds on automated monitoring systems are lower for PEPs and other higher risk customers. Exceptions are escalated to more senior staff.

    There is insufficient challenge to explanations from relationship managers and customers about unusual transactions.

    Decisions across a group on whether to keep or exit high risk relationships are consistent and in line with the firm’s overall risk appetite or assessment.

    The firm focuses too much on reputational or business issues when deciding whether to exit relationships with a high money laundering risk.

    The firm makes no enquiries when accounts are used for purposes inconsistent with expected activity (e.g. personal accounts being used for business).

See regulation 33(1) of the Money Laundering Regulations.

Liaison with law enforcement

FCG 3.2.10

1Firms must have a nominated officer. The nominated officer has a legal obligation to report any knowledge or suspicions of money laundering to the National Crime Agency (NCA) through a ‘Suspicious Activity Report’, also known as a ‘SAR’. (See FCG Annex 1 list of common terms for more information about nominated officers and Suspicious Activity Reports.)

Staff must report their concerns and may do so to the firm’s nominated officer, who must then consider whether a report to NCA is necessary based on all the information at their disposal. Law enforcement agencies may seek information from the firm about a customer, often through the use of Production Orders (see FCG Annex 1).

Self-assessment questions:

  1. • Is it clear who is responsible for different types of liaison with the authorities?

  2. • How does the decision-making process related to SARs work in the firm?

  3. • Are procedures clear to staff?

  4. • Do staff report suspicions to the nominated officer? If not, does the nominated officer take steps to identify why reports are not being made? How does the nominated officer deal with reports received?

  5. • What evidence is there of the rationale underpinning decisions about whether a SAR is justified?

  6. • Is there a documented process for responding to Production Orders, with clear timetables?

  7. Examples of good practice

    Examples of poor practice

    All staff understand procedures for escalating suspicions and follow them as required.

    The nominated officer passes all internal reports to NCA without considering whether they truly are suspicious. These ‘defensive’ reports are likely to be of little value.

    The firm’s SARs set out a clear narrative of events and include detail that law enforcement authorities can use (e.g. names, addresses, passport numbers, phone numbers, email addresses).

    The nominated officer dismisses concerns escalated by staff without reasons being documented.

    SARs set out the reasons for suspicion in plain English. They include some context on any previous related SARs rather than just a cross-reference.

    The firm does not train staff to make internal reports, thereby exposing them to personal legal liability and increasing the risk that suspicious activity goes unreported.

    There is a clear process for documenting decisions.

    The nominated officer turns a blind eye where a SAR might harm the business. This could be a criminal offence.

    A firm’s processes for dealing with suspicions reported to it by third party administrators are clear and effective.

    A firm provides extraneous and irrelevant detail in response to a Production Order.

See regulation 21 of the Money Laundering Regulations and s.330 POCA and s.331 POCA and s.21A of the Terrorism Act 2000.

Record keeping and reliance on others

FCG 3.2.11

1Firms must keep copies of any documents and information obtained to meet CDD requirements and sufficient supporting records for transactions for five years after the business relationship ends or five years after an occasional transaction. However, records relating to transactions occurring in a business relationship need not be kept beyond 10 years. Where a firm is relied on by others to do due diligence checks, it must keep its records of those checks for the same time period. Firms must keep records sufficient to demonstrate to us that their CDD measures are appropriate in view of the risk of money laundering and terrorist financing. Regulation 40(5) requires that any data collected is deleted after these periods. Regulation 41 also sets out that personal data collected under the Money Laundering Regulations should only be processed for the purposes of preventing money laundering or terrorist financing.

Self-assessment questions:

  1. • Can your firm retrieve records promptly in response to a Production Order?

  2. • If the firm relies on others to carry out AML checks (see ‘Reliance’ in FCG Annex 1), is this within the limits permitted by the Money Laundering Regulations? How does it satisfy itself that it can rely on these firms?

  3. Examples of good practice

    Examples of poor practice

    Records of customer ID and transaction data can be retrieved quickly and without delay.

    The firm keeps customer records and related information in a way that restricts the firm’s access to these records or their timely sharing with authorities.

    Where the firm routinely relies on checks done by a third party (for example, a fund provider relies on an IFA’s checks), it requests sample documents to test their reliability.

    A firm cannot access CDD and related records for which it has relied on a third party. This breaches the Money Laundering Regulations.

    Significant proportions of CDD records cannot be retrieved in good time.

    The firm has not considered whether a third party consents to being relied upon.

    There are gaps in customer records, which cannot be explained.

See regulations 28(16), 40 and 40(7) of the Money Laundering Regulations.

Countering the finance of terrorism

FCG 3.2.12

1Firms have an important role to play in providing information that can assist the authorities with counter-terrorism investigations. Many of the controls firms have in place in relation to terrorism will overlap with their anti-money laundering measures, covering, for example, risk assessment, customer due diligence checks, transaction monitoring, escalation of suspicions and liaison with the authorities.

Self-assessment questions:

  1. • How have risks associated with terrorist finance been assessed? Did assessments consider, for example, risks associated with the customer base, geographical locations, product types, distribution channels, etc.?

  2. • Is it clear who is responsible for liaison with the authorities on matters related to countering the finance of terrorism? (See FCG 3.2.10G)

  3. Examples of good practice

    Examples of poor practice

    The firm has and uses an effective process for liaison with the authorities.

    Financial crime training does not mention terrorist financing.

    A firm identifies sources of information on terrorist financing risks: e.g. press reports, NCA alerts, Financial Action Task Force typologies, court judgements, etc.

    A firm doing cross-border business has not assessed terrorism-related risks in countries in which it has a presence or does business.

    This information informs the design of transaction monitoring systems.

    A firm has not considered if its approach to customer due diligence is able to capture information relevant to the risks of terrorist finance.

    Suspicions raised within the firm inform its own typologies.

Customer payments

FCG 3.2.13

1This section applies to banks subject to SYSC 6.3.

Interbank payments can be abused by criminals. International policymakers have taken steps intended to increase the transparency of interbank payments, allowing law enforcement agencies to more easily trace payments related to, for example, drug trafficking or terrorism. The Money Laundering Regulations require3 banks to collect and attach information about payers and payees of wire transfers (such as names and addresses3) to payment messages. Banks are also required to check this information is present on inbound payments, and chase missing data. The FCA has a legal responsibility to supervise banks’ compliance with these requirements. Concerns have also been raised about interbank transfers known as “cover payments” (see FCG Annex 1) that can be abused to disguise funds’ origins. To address these concerns, the SWIFT payment messaging system now allows originator and beneficiary information to accompany these payments.

From 1 September 2023, similar obligations have applied for cryptoasset transfers undertaken by cryptoasset businesses registered with the FCA under the Money Laundering Regulations. This chapter may assist cryptoasset businesses in implementing this requirement but they should also have regard to specific expectations set out by the FCA. For further information, see www.fca.org.uk/news/statements/fca-sets-out-expectations-uk-cryptoasset-businesses-complying-travel-rule.3

Self-assessment questions:

  1. • How does your firm ensure that customer payment instructions contain complete payer and payee information? (For example, does it have appropriate procedures in place for checking payments it has received?)

  2. • Does the firm review its respondent banks’ track record on providing payer data and using appropriate SWIFT messages for cover payments?

  3. • Does the firm use guidance issued by the ESAs? [Editor’s Note: see http://www.eba.europa.eu/-/esas-provide-guidance-to-prevent-terrorist-financing-and-money-laundering-in-electronic-fund-transfers.].

  4. Examples of good practice

    Examples of poor practice

    Following processing, banks conduct risk-based sampling for inward payments to identify inadequate payer and payee information.

    A bank fails to make use of the correct SWIFT message type for cover payments.

    An intermediary bank chases up missing information.

    Compliance with regulations related to international customer payments has not been reviewed by the firm’s internal audit or compliance departments.

    The following practices breach the Funds Transfer Regulation:

    A bank sends dummy messages to test the effectiveness of filters.

    International customer payment instructions sent by the payer’s bank lack meaningful payer and payee information.

    A bank is aware of guidance from the Basel Committee and the Wolfsberg Group on the use of cover payments, and has considered how this should apply to its own operations.

    An intermediary bank strips payee or payer information from payment instructions before passing the payment on.

    The quality of payer and payee information in payment instructions from respondent banks is taken into account in the bank’s ongoing review of correspondent banking relationships.

    The payee bank does not check any incoming payments to see if they include complete and meaningful data.

    The firm actively engages in peer discussions about taking appropriate action against banks which persistently fail to provide complete payer information.

Case study – poor AML controls

FCG 3.2.14

1 The FSA fined Alpari (UK) Ltd, an online provider of foreign exchange services, £140,000 in May 2010 for poor anti-money laundering controls.

  1. • Alpari failed to carry out satisfactory customer due diligence procedures at the account opening stage and failed to monitor accounts adequately.

  2. • These failings were particularly serious given that the firm did business over the internet and had customers from higher risk jurisdictions.

  3. • The firm failed to ensure that resources in its compliance and anti-money laundering areas kept pace with the firm’s significant growth.

Alpari’s former money laundering reporting officer was also fined £14,000 for failing to fulfil his duties.

See the FCA’s press release for more information: www.fca.org.uk/publication/final-notices/alpari.pdf.3

Case studies – wire transfer failures

FCG 3.2.15

1A UK bank that falls short of our expectations when using payment messages does not just risk FCA enforcement action or prosecution; it can also face criminal sanctions abroad.

In January 2009, Lloyds TSB agreed to pay US$350m to US authorities after Lloyds offices in Britain and Dubai were discovered to be deliberately removing customer names and addresses from US wire transfers connected to countries or persons on US sanctions lists. The US Department of Justice concluded that Lloyds TSB staff removed this information to ensure payments would pass undetected through automatic filters at American financial institutions. See its press release: www.usdoj.gov/opa/pr/2009/January/09-crm-023.html.

In August 2010, Barclays Bank PLC agreed to pay US$298m to US authorities after it was found to have implemented practices designed to evade US sanctions for the benefit of sanctioned countries and persons, including by stripping information from payment messages that would have alerted US financial institutions about the true origins of the funds. The bank self-reported the breaches, which took place over a decade-long period from as early as the mid-1990s to September 2006. See the US Department of Justice’s press release: www.justice.gov/opa/pr/2010/August/10-crm-933.html.

Case study – poor AML controls: PEPs and high risk customers

FCG 3.2.16

1The FSA fined Coutts & Company £8.75 million in March 2012 for poor AML systems and controls. Coutts failed to take reasonable care to establish and maintain effective anti-money laundering systems and controls in relation to their high risk customers, including in relation to customers who are Politically Exposed Persons.

  1. • Coutts failed adequately to assess the level of money laundering risk posed by prospective and existing high risk customers.

  2. • The firm failed to gather sufficient information to establish their high risk customers’ source of funds and source of wealth, and to scrutinise appropriately the transactions of PEPs and other high risk accounts.

  3. • The firm failed to ensure that resources in its compliance and anti-money laundering areas kept pace with the firm’s significant growth.

These failings were serious, systemic and were allowed to persist for almost three years. They were particularly serious because Coutts is a high profile bank with a leading position in the private banking market, and because the weaknesses resulted in an unacceptable risk of handling the proceeds of crime.

This was the largest fine yet levied by the FSA for failures related to financial crime.

See the FCA’s press release for more information: www.fca.org.uk/publication/final-notices/coutts-mar12.pdf 3.

Poor AML controls: risk assessment

FCG 3.2.17

1The FSA fined Habib Bank AG Zurich £525,000, and its MLRO £17,500, in May 2012 for poor AML systems and controls.

Habib Bank AG Zurich failed adequately to assess the level of money laundering risk associated with its business relationships. For example, the firm excluded higher risk jurisdictions from its list of high risk jurisdictions on the basis that it had group offices in them.

  1. • Habib Bank AG Zurich failed to conduct timely and adequate enhanced due diligence on higher risk customers by failing to gather sufficient information and supporting evidence

  2. • The firm also failed to carry out adequate reviews of its AML systems and controls.

  3. • The MLRO failed properly to ensure the establishment and maintenance of adequate and effective anti- money laundering risk management systems and controls.

See the FCA’s press release for more information: www.fca.org.uk/publication/final-notices/habib-bank.pdf3.