FCG 6.2 Themes

Governance

FCG 6.2.1

1A firm’s senior management are responsible for ensuring that the firm conducts its business with integrity and tackles the risk that the firm, or anyone acting on its behalf, engages in bribery and corruption. A firm’s senior management should therefore be kept up-to-date with, and stay fully abreast of, bribery and corruption issues.

Self-assessment questions:

  1. • What role do senior management play in the firm’s anti-bribery and corruption effort? Do they approve and periodically review the strategies and policies for managing, monitoring and mitigating this risk? What steps do they take to ensure staff are aware of their interest in this area?

  2. • Can your firm’s board and senior management demonstrate a good understanding of the bribery and corruption risks faced by the firm, the materiality to its business and how to apply a risk-based approach to anti-bribery and corruption?

  3. • How are integrity and compliance with relevant anti-corruption legislation considered when discussing business opportunities?

  4. • What information do senior management receive in relation to bribery and corruption, and how frequently? Is it sufficient for senior management effectively to fulfil their functions in relation to anti- bribery and corruption?

  5. Examples of good practice

    Examples of poor practice

    The firm is committed to carrying out business fairly, honestly and openly.

    There is a lack of awareness of, or engagement in, anti-bribery and corruption at senior management or board level.

    Senior management lead by example in complying with the firm’s anti-corruption policies and procedures.

    An ‘ask no questions’ culture sees management turn a blind eye to how new business is generated.

    Responsibility for anti-bribery and corruption systems and controls is clearly documented and apportioned to a single senior manager or a committee with appropriate terms of reference and senior management membership who reports ultimately to the board.

    Little or no management information is sent to the board about existing and emerging bribery and corruption risks faced by the business, including: higher risk third-party relationships or payments; the systems and controls to mitigate those risks; the effectiveness of these systems and controls; and legal and regulatory developments.

    Anti-bribery systems and controls are subject to audit.

    Management information submitted to the board ensures they are adequately informed of internal and external developments relevant to bribery and corruption and respond to these swiftly and effectively.

Risk assessment

FCG 6.2.2

1The guidance in FCG 2.2.4G on risk assessment in relation to financial crime also applies to bribery and corruption.

We expect firms to identify, assess and regularly review and update their bribery and corruption risks. Corruption risk is the risk of a firm, or anyone acting on the firm’s behalf, engaging in corruption.

Self-assessment questions:

  1. • How do you define bribery and corruption? Does your definition cover all forms of bribery and corrupt behaviour falling within the definition of ‘financial crime’ referred to in SYSC 3.2.6R and SYSC 6.1.1R or is it limited to ‘bribery’ as that term is defined in the Bribery Act 2010?

  2. • Where is your firm exposed to bribery and corruption risk? (Have you considered risk associated with the products and services you offer, the customers and jurisdictions with which you do business, your exposure to public officials and public office holders and your own business practices, for example your approach to providing corporate hospitality, charitable and political donations and your use of third parties?)

  3. • Has the risk of staff or third parties acting on the firm’s behalf offering or receiving bribes or other corrupt advantage been assessed across the business?

  4. • Who is responsible for carrying out a bribery and corruption risk assessment and keeping it up to date? Do they have sufficient levels of expertise and seniority?

  5. Examples of good practice

    Examples of poor practice

    Corruption risks are assessed in all jurisdictions where the firm operates and across all business channels.

    Departments responsible for identifying and assessing bribery and corruption risk are ill equipped to do so.

    The firm considers factors that might lead business units to downplay the level of bribery and corruption risk to which they are exposed, such as lack of expertise or awareness, or potential conflicts of interest.

    For fear of harming the business, the firm classifies as low risk a jurisdiction generally associated with high risk.

    The risk assessment is only based on generic, external sources.

Policies and procedures

FCG 6.2.3

1The guidance in FCG 2.2.5G on policies and procedures in relation to financial crime and in FCG 2.2.6G on staff recruitment, vetting, training, awareness and remuneration also applies to bribery and corruption.

Firms’ policies and procedures to reduce their financial crime risk must cover corruption and bribery.

Self-assessment questions:

  1. • Do your anti-bribery and corruption policies adequately address all areas of bribery and corruption risk to which your firm is exposed, either in a stand-alone document or as part of separate policies? (for example, do your policies and procedures cover: expected standards of behaviour; escalation processes; conflicts of interest; expenses, gifts and hospitality; the use of third parties to win business; whistleblowing; monitoring and review mechanisms; and disciplinary sanctions for breaches?)

  2. • Have you considered the extent to which corporate hospitality might influence, or be perceived to influence, a business decision? Do you impose and enforce limits that are appropriate to your business and proportionate to the bribery and corruption risk associated with your business relationships?

  3. • How do you satisfy yourself that your anti-corruption policies and procedures are applied effectively?

  4. • How do your firm’s policies and procedures help it to identify whether someone acting on behalf of the firm is corrupt?

  5. • How does your firm react to suspicions or allegations of bribery or corruption involving people with whom the firm is connected?

  6. Examples of good practice

    Examples of poor practice

    The firm clearly sets out behaviour expected of those acting on its behalf.

    The firm does not assess the extent to which staff comply with its anti-corruption policies and procedures.

    There are unambiguous consequences for breaches of the firm’s anti-corruption policy.

    The firm’s anti-corruption policies and procedures are out of date.

    Risk-based, appropriate additional monitoring and due diligence are undertaken for jurisdictions, sectors and business relationships identified as higher risk.

    A firm relies on passages in the staff code of conduct that prohibit improper payments, but has no other controls.

    Staff responsible for implementing and monitoring anti-bribery and corruption policies and procedures have adequate levels of anti-corruption expertise.

    The firm does not record corporate hospitality given or received.

    Where appropriate, the firm refers to existing sources of information, such as expense registers, policy queries and whistleblowing and complaints hotlines, to monitor the effectiveness of its anti- bribery and corruption policies and procedures.

    The firm does not respond to external events that may highlight weaknesses in its anti-corruption systems and controls.

    Political and charitable donations are subject to appropriate due diligence and are approved at an appropriate management level, with compliance input.

    The firm fails to consider whether clients or charities who stand to benefit from corporate hospitality or donations have links to relevant political or administrative decision-makers.

    Firms who do not provide staff with access to whistleblowing hotlines have processes in place to allow staff to raise concerns in confidence or, where possible, anonymously, with adequate levels of protection.

    The firm fails to maintain records of incidents and complaints.

See SYSC 3.2.6R and SYSC 6.1.1R.

Dealing with third parties

FCG 6.2.4

1We expect firms to take adequate and risk-sensitive measures to address the risk that a third party acting on behalf of the firm may engage in corruption.

Self-assessment questions:

  1. • Do your firm’s policies and procedures clearly define ‘third party’?

  2. • Do you know your third party?

  3. • What is your firm’s policy on selecting third parties? How do you check whether it is being followed?

  4. • To what extent are third-party relationships monitored and reviewed? Is the frequency and depth of the monitoring and review commensurate to the risk associated with the relationship?

  5. • Is the extent of due diligence on third parties determined on a risk-sensitive basis? Do you seek to identify any bribery and corruption issues as part of your due diligence work, e.g. negative allegations against the third party or any political connections? Is due diligence applied consistently when establishing and reviewing third-party relationships?

  6. • Is the risk assessment and due diligence information kept up to date? How?

  7. • Do you have effective systems and controls in place to ensure payments to third parties are in line with what is both expected and approved?

  8. Examples of good practice

    Examples of poor practice

    Where a firm uses third parties to generate business, these relationships are subject to thorough due diligence and management oversight.

    A firm using intermediaries fails to satisfy itself that those businesses have adequate controls to detect and prevent where staff have used bribery to generate business.

    The firm reviews in sufficient detail its relationships with third parties on a regular basis to confirm that it is still necessary and appropriate to continue with the relationship.

    The firm fails to establish and record an adequate commercial rationale to support its payments to overseas third parties. For example, why it is necessary to use a third party to win business and what services would the third party provide to the firm?

    Third parties are paid directly for their work.

    The firm is unable to produce a list of approved third parties, associated due diligence and details of payments made to them.

    The firm includes specific anti-bribery and corruption clauses in contracts with third parties.

    The firm does not discourage the giving or receipt of cash gifts.

    The firm provides anti-bribery and corruption training to third parties where appropriate.

    There is no checking of compliance’s operational role in approving new third-party relationships and accounts.

    The firm reviews and monitors payments to third parties. It records the purpose of third-party payments.

    A firm assumes that long-standing third-party relationships present no bribery or corruption risk.

    There are higher or extra levels of due diligence and approval for high risk third-party relationships.

    A firm relies exclusively on informal means to assess the bribery and corruption risks associated with third parties, such as staff’s personal knowledge of the relationship with the overseas third parties.

    There is appropriate scrutiny of and approval for relationships with third parties that introduce business to the firm.

    The firm’s compliance function has oversight of all third-party relationships and monitors this list to identify risk indicators, for example a third party’s political or public service connections.

Case study – corruption risk

FCG 6.2.5

2In 2020, the FCA and the PRA fined Goldman Sachs International a total of £96.6m (US$126m) for risk management failures connected to a Malaysian development company (‘the company’) and its role in 3 fundraising transactions for the company.

The bank failed to assess and manage risk to the standard that was required given the high-risk profile of the transactions and failed to assess risk factors on a sufficiently holistic basis. The bank also failed to address allegations of bribery in 2013 and failed to manage allegations of misconduct in connection with the company in 2015.

The bank breached a number of FCA and PRA principles and rules. In particular, the bank failed to:

  1. • assess with due skill, care and diligence the risk factors that arose in each of the bond transactions on a sufficiently holistic basis;

  2. • assess and manage the risk of the involvement in the bond transactions of a third party about which the bank had serious concerns;

  3. • exercise due skill, care and diligence when managing allegations of bribery and misconduct in connection with the company and the third bond transaction; and

  4. • record in sufficient detail the assessment and management of risk associated with the company bond transactions.

See the FCA’s press release: www.fca.org.uk/news/press-releases/fca-pra-fine-goldman-sachs-international-risk-management-failures-1mdb.

Case study – inadequate anti-bribery and corruption systems and controls

FCG 6.2.6

1In July 2011, the FSA fined Willis Limited, an insurance intermediary, £6.9m for failing to take appropriate steps to ensure that payments made to overseas third parties were not used for corrupt purposes. Between January 2005 and December 2009, Willis Limited made payments totalling £27m to overseas third parties who helped win and retain business from overseas clients, particularly in high risk jurisdictions.

Willis had introduced anti-bribery and corruption policies in 2008, reviewed how its new policies were operating in practice and revised its guidance as a result in May 2009. But it should have taken additional steps to ensure they were adequately implemented.

  1. • Willis failed to ensure that it established and recorded an adequate commercial rationale to support its payments to overseas third parties.

  2. • It did not ensure that adequate due diligence was carried out on overseas third parties to evaluate the risk involved in doing business with them.

  3. • It failed to review in sufficient detail its relationships with overseas third parties on a regular basis to confirm whether it was necessary and appropriate to continue with the relationship.

  4. • It did not adequately monitor its staff to ensure that each time it engaged an overseas third party an adequate commercial rationale had been recorded and that sufficient due diligence had been carried out.

See the FCA’s2 press release: www.fca.org.uk/news/press-releases/fsa-fines-willis-limited-%C2%A36895-million-anti-bribery-and-corruption-systems-and2.

Case study – third parties

FCG 6.2.7

2In 2022, the FCA fined JLT Speciality Limited £7,881,700 for financial crime control failings, which in one instance allowed bribery of over $3m to take place. The firm failed to consider whether additional safeguards or approvals should be incorporated into processes in respect to overseas introducers engaged by another group entity, where the introduced business was placed by the firm in the London market. Among other issues, the firm’s third-party risk assessments failed to:

  1. • ensure that information held by employees who were either involved in negotiating the relationship with the third party or placing the business in the London market, including potential red flags, was brought to the attention of the company’s ‘know your customer’ subcommittee or its financial crime team;

  2. • ensure that the other entity disclosed all material information about the third party to the financial crime team for review, consideration and action as necessary; and

  3. • consider whether additional monitoring and oversight of third parties, in accordance with the firm’s process, was appropriate.

See the FCA’s press release: www.fca.org.uk/news/press-releases/jlt-specialty-limited-fined-7.8m-pounds-financial-crime-control-failings.