FCTR 7.1 Introduction

FCTR 7.1.1 G

1 Who should read this chapter? This chapter is relevant to:

  1. all firms subject to the financial crime rules in SYSC 3.2.6R or SYSC 6.1.1R; and

  2. e-money institutions and payment institutions within our supervisory scope who have or are considering establishing operations in offshore centres.

FCTR 7.1.2 G

1In the second half of 2008 the FSA reviewed how financial services firms in the UK were addressing financial crime risks in functions they had moved to offshore centres. The review followed on from the FSA’s report into data security in financial services (April 2008 – https://webarchive.nationalarchives.gov.uk/ukgwa/20130410174411mp_/http://www.fsa.gov.uk/pubs/other/data_security.pdf).

FCTR 7.1.3 G

1The main financial crime risks the FSA reviewed were: customer data being lost or stolen and used to facilitate fraud; money laundering; and fraud. The review found that, while there were good data security controls in place across the industry, continued effort was required to ensure controls did not break down and that they remained ‘valid and risk-based’.

FCTR 7.1.4 G

1The review emphasised the importance of appropriate vetting and training of all staff, particularly with regard to local staff who had financial crime responsibilities. An examination revealed that training in this area was often lacking and not reflective of the needs of, and work done by, members of staff. The report emphasised that senior management should ensure that staff operating in these roles were given proper financial crime training as well as ensuring they possessed the appropriate technical know-how. The review also highlighted that, due to high staff turnover, firms needed appropriate and thorough vetting controls to supplement inadequate local electronic intelligence and search systems.

FCTR 7.1.5 G

1The contents of this report are reflected in FCG 2 (Financial crime systems and controls) and FCG 5 (Data security).

FCTR 7.3 Consolidated examples of good and poor practice

FCTR 7.3.1 G

1This report did not contain consolidated examples of good and poor practice.