FCTR 8.1 Introduction

FCTR 8.1.1

1 Who should read this chapter? This chapter is relevant, and its statements of good and poor practice apply, to all firms subject to the financial crime rules in SYSC 3.2.6R or SYSC 6.1.1R and to e-money institutions and payment institutions within our supervisory scope.

FCTR 8.1.2

1In April 2009 the FSA published the findings of our thematic review of firms’ approach to UK financial sanctions. The FSA received 228 responses to an initial survey from a broad range of firms across the financial services industry, ranging from small firms to major financial groups, both retail and wholesale. Tailored surveys were sent to different types of firms to ensure that the questions were relevant to the nature and scale of the business of each firm. The FSA then selected a sub-sample of 25 firms to visit to substantiate the findings from the surveys.

FCTR 8.1.3

1The review highlighted areas where there was significant scope across the industry for improvement in firms’ systems and controls to comply with the UK financial sanctions regime. The FSA found that, while some firms had robust systems in place that were appropriate to their business need, others, including some major firms, lacked integral infrastructure and struggled with inappropriate systems for their business. In small firms in particular, the FSA found a widespread lack of awareness of the UK financial sanctions regime.

FCTR 8.1.4

1The report examined a number of key areas of concern which included an in-depth look at whether senior management were aware of their responsibilities and, if so, were responding in an appropriate manner. The FSA also identified issues over the implementation of policies and procedures, particularly those put in place to ensure that staff were adequately trained, were kept aware of changes in this area, and knew how to respond when sanctions were imposed. The FSA also had concerns about firms’ screening of clients, both initially and as an ongoing process.

FCTR 8.1.5

1The contents of this report are reflected in FCG 2 (Financial crime systems and controls) and FCG 7 (Sanctions and asset freezes).

FCTR 8.3 Consolidated examples of good and poor practice

FCTR 8.3.1

1Senior management responsibility

Examples of good practice

Examples of poor practice

Senior management involvement in approving and taking responsibility for policies and procedures.

No senior management involvement or understanding regarding the firm’s obligations under the UK financial sanctions regime, or its systems and controls to comply with it.

A level of senior management awareness of the firm’s obligations regarding financial sanctions sufficient to enable them to discharge their functions effectively.

No, or insufficient, management oversight of the day-to-day operation of systems and controls.

Appropriate escalation in cases where a potential target match cannot easily be verified.

Failure to included assessments of the financial sanctions systems and controls as a normal part of internal audit programmes.

Adequate and appropriate resources allocated by senior management.

No senior management involvement in any cases where a potential target match cannot easily be verified.

Appropriate escalation of actual target matches and breaches of UK financial sanctions.

Senior management never being made aware of a target match or breach of sanctions for an existing customer.

Failure to notify customers affected by data loss in case the details are picked up by the media.

FCTR 8.3.2

1Risk assessment

Examples of good practice

Examples of poor practice

Conducting a comprehensive risk assessment, based on a good understanding of the financial sanctions regime, covering the risks that may be posed by clients, transactions, services, products and jurisdictions.

Not assessing the risks that the firm may face of breaching financial sanctions.

Taking into account associated parties, such as directors and beneficial owners.

Risk assessments that are based on misconceptions.

A formal documented risk assessment with a clearly documented rationale for the approach.

FCTR 8.3.3

1Policies and procedures

Examples of good practice

Examples of poor practice

Documented policies and procedures in place, which clearly set out a firm’s approach to complying with its legal and regulatory requirements in this area.

No policies or procedures in place for complying with the legal and regulatory requirements of the UK financial sanctions regime.

Group-wide policies for UK financial sanctions screening, to ensure that business unit-specific policies and procedures reflect the standard set out in group policy.

Internal audits of procedures carried out by persons with responsibility for oversight of financial sanctions procedures, rather than an independent party.

Effective procedures to screen against the Consolidated List (See FCG Annex 1 for descriptions of common terms) that are appropriate for the business, covering customers, transactions and services across all products and business lines.

Clear, simple and well understood escalation procedures to enable staff to raise financial sanctions concerns with management.

Regular review and update of policies and procedures.

Regular reviews of the effectiveness of policies, procedures, systems and controls by the firm’s internal audit function or another independent party.

Procedures that include ongoing monitoring/screening of clients.

FCTR 8.3.4

1Staff training and awareness

Examples of good practice

Examples of poor practice

Regularly updated training and awareness programmes that are relevant and appropriate for employees’ particular roles.

No training on financial sanctions.

Testing to ensure that employees have a good understanding of financial sanctions risks and procedures.

Relevant staff unaware of the firm’s policies and procedures to comply with the UK financial sanctions regime.

Ongoing monitoring of employees’ work to ensure they understand the financial sanctions procedures and are adhering to them.

Changes to the financial sanctions policies, procedures, systems and controls are not communicated to relevant staff.

Training provided to each business unit covering both the group-wide and business unit-specific policies on financial sanctions.

FCTR 8.3.5

1Screening during client take-on

Examples of good practice

Examples of poor practice

An effective screening system appropriate to the nature, size and risk of the firm’s business.

Screening only on notification of a claim on an insurance policy, rather than during client take-on.

Screening against the Consolidated List at the time of client take-on before providing any services or undertaking any transactions for a customer.

Relying on other FSA-authorised firms and compliance consultants to screen clients against the Consolidated List without taking reasonable steps to ensure that they are doing so effectively.

Screening directors and beneficial owners of corporate customers.

Assuming that AML customer due diligence checks include screening against the Consolidated List.

Screening third party payees where adequate information is available.

Failing to screen UK-based clients on the assumption that there are no UK-based persons or entities on the Consolidated List or failure to screen due to any other misconception.

Where the firm’s procedures require dual control (e.g. a ‘four eyes’ check) to be used, having in place an effective process to ensure this happens.

Large global institutions with millions of clients using manual screening, increasing the likelihood of human error and leading to matches being missed.

The use of ‘fuzzy matching’ where automated screening systems are used.

IT systems that cannot flag potential matches clearly and prominently.

Where a commercially available automated screening system is implemented, making sure that there is a full understanding of the capabilities and limits of the system.

Firms calibrating their screening rules too narrowly or too widely so that they, for example, match only exact names with the Consolidated List or generate large numbers of resource intensive false positives.

Regarding the implementation of a commercially available sanctions screening system as a panacea, with no further work required by the firm.

Failing to tailor a commercially available sanctions screening system to the firm’s requirements.

FCTR 8.3.6

1Ongoing screening

Examples of good practice

Examples of poor practice

Screening of the entire client base within a reasonable time following updates to the Consolidated List.

No ongoing screening of customer databases or transactions.

Ensuring that customer data used for ongoing screening is up to date and correct.

Failure to screen directors and beneficial owners of corporate customers and/or third party payees where adequate information is available.

Processes that include screening for indirect as well as direct customers and also third party payees, wherever possible.

Failure to review the calibration and rules of automated systems, or to set the calibration in accordance with the firm’s risk appetite.

Processes that include screening changes to corporate customers’ data (e.g. when new directors are appointed or if there are changes to beneficial owners).

Flags on systems that are dependent on staff looking for them.

Regular reviews of the calibration and rules of automated systems to ensure they are operating effectively.

Controls on systems that can be overridden without referral to compliance.

Screening systems calibrated in accordance with the firm’s risk appetite, rather than the settings suggested by external software providers.

Systems calibrated to include ‘fuzzy matching’, including name reversal, digit rotation and character manipulation.

Flags on systems prominently and clearly identified.

Controls that require referral to relevant compliance staff prior to dealing with flagged individuals or entities.

FCTR 8.3.7

1Treatment of potential target matches

Examples of good practice

Examples of poor practice

Procedures for investigating whether a potential match is an actual target match or a false positive.

No procedures in place for investigating potential matches with the Consolidated List.

Procedures for freezing accounts where an actual target match is identified.

Discounting actual target matches incorrectly as false positives due to insufficient investigation.

Procedures for notifying the Treasury’s AFU promptly of any confirmed matches.

No audit trail of decisions where potential target matches are judged to be false positives.

Procedures for notifying senior management of target matches and cases where the firm cannot determine whether a potential match is the actual target on the Consolidated List.

A clear audit trail of the investigation of potential target matches and the decisions and actions taken, such as the rationale for deciding that a potential target match is a false positive.