You are viewing the version of the document as on 2024-12-12.

FCTR 4.1 Introduction

FCTR 4.1.1 G

1 Who should read this chapter? This chapter is relevant, and its statements of good and poor practice apply, to all firms for whom we are the supervisory authority under the Money Laundering Regulations.

FCTR 4.1.2 G

1The extent to which we expect a firm to use automated anti-money laundering transaction monitoring (AML TM) systems depends on considerations such as the nature and scale of its business activities. There may be firms, particularly, smaller firms, that monitor credibly and effectively using manual procedures. This chapter will not apply to such firms where they do not, and are not intending to, use AML TM systems, although it may still be of interest to them.

FCTR 4.1.3 G

1The FSA wrote a short report on automated Anti-Money Laundering Transaction Monitoring Systems in July 2007. This was in anticipation of the fact that transaction monitoring would become compulsory following the implementation of the Money Laundering Regulations 2007.

FCTR 4.1.4 G

1The report explains that the FSA did not anticipate that there would be major changes in firms’ practice, as the new framework expressed in law what firms were already doing. Instead, it is to be read as feedback on good practice to assist firms in complying with the Money Laundering Regulations 2007.

FCTR 4.1.5 G

1The report confirms our expectation that senior management should be in a position to monitor the performance of transaction monitoring (TM) systems, particularly at firms that experience operational or performance issues with their systems, to ensure issues are resolved in a timely fashion. Particular examples of good practice include transaction monitoring and profiling; especially ensuring unusual patterns of customer activity are identified.

FCTR 4.1.6 G

1The contents of this report are reflected in FCG 2 (Financial crime systems and controls) and FCG 3 (Money laundering and terrorist financing).

FCTR 4.3 Consolidated examples of good and poor practice

FCTR 4.3.1 G

1This report contained the following Examples of good practice:

FCTR 4.3.2 G

1Statement of good practice

  1. • Depending on the nature and scale of a firm’s business activities, automated AML TM systems may be an important component of an effective overall AML control environment.

Methodologies

  1. • TM systems use profiling and/or rules-based monitoring methods.

  2. • Profiling identifies unusual patterns of customer activity by applying statistical modelling techniques. These compare current patterns of activity to historical activity for that customer or peer group.

  3. • Rules-based monitoring compares customer activity to fixed pre-set thresholds or patterns to determine if it is unusual.

Development and implementation

  1. • A clear understanding of what the system will deliver and what constraints will be imposed by the limitations of the available data (including any issues arising from data cleanliness or legacy systems).

  2. • Consideration of whether the vendor has the skills, resources and ability to deliver the promised service and provide adequate ongoing support.

  3. • Maintenance of good working relations with the vendor, e.g. when collaborating to agree detailed system configuration.

  4. • Use of recommended hardware, not necessarily a firm’s own standard, to reduce processing problems, or otherwise finding a solution that is a good fit with a firm’s existing infrastructure.

  5. • A full understanding of the data being entered into the system and of the business’s requirements.

  6. • Regular housekeeping and database maintenance (operational resilience is vital to ensure that queries do not back up).

  7. • Careful consideration of the risks of commissioning a bespoke vendor system, which may be incompatible with future standard product upgrades.

  8. • Continued allocation of sufficient resources to ensure manual internal suspicion reporting is effective, as TM can supplement, but not replace, human awareness in day-to-day business.

Effectiveness

  1. • Analyse system performance at a sufficiently detailed level, for example on a rule-by-rule basis, to understand the real underlying drivers of the performance results.

  2. • Set systems so they do not generate fewer alerts simply to improve performance statistics. There is a risk of ‘artificially’ increasing the proportion of alerts that are ultimately reported as suspicious activity reports without generating an improvement in the quality and quantity of the alerts being generated.

  3. • Deploy analytical tools to identify suspicious activity that is currently not being flagged by existing rules or profile-based monitoring.

  4. • Allocate adequate resources to analysing and assessing system performance, in particular to define how success is measured and produce robust objective data to analyse performance against these measures.

  5. • Consistently monitor from one period to another, rather than on an intermittent basis, to ensure that performance data is not distorted by, for example, ad hoc decisions to run particular rules at different times.

  6. • Measure performance as far as possible against like-for-like comparators, e.g. peers operating in similar markets and using similar profiling and rules.

Oversight

  1. • Senior management should be in a position to monitor the performance of TM systems, particularly at firms that are experiencing operational or performance issues with their systems, so that issues are resolved in a timely fashion.

  2. • Close involvement of the project management process by major business unit stakeholders and IT departments is an important component of successful system implementation.

Reporting & review

  1. • There should be a clear allocation of responsibilities for reviewing, investigating and reporting details of alerts generated by TM systems. Those responsible for this work should have appropriate levels of skill and be subject to effective operational control and quality assurance processes.