SUP 16 Annex 42B Guidance notes for completion of the Annual Financial Crime Report

G

1The form in SUP 16 Annex 42AR should only be completed by firms and electronic money institutions and payment institutions4 subject to the reporting requirements in SUP 16.23.4R and SUP 16.15.5AD of the FCA Handbook.

General Notes

This data item is reported on a single unit basis and in integers, except where a full-time equivalent (FTE) figure is requested. Where an FTE figure is requested, this should be reported to two decimal places where available. If the figure to be reported is a whole number, this should be reported as [n].00.

For the purposes of this data item and guidance notes, any references to firm or firms should be read as also applying to electronic money institutions and payment institutions4.

This return allows firms to report for a specified group of firms in a single Annual Financial Crime Report. Where a report is filed for a group of firms, the reported information should be the aggregate data for those firms. Firms should note that this is only available where all the firms included are subject to the requirement (i.e. firms that would not be subject to the requirement on a solo entity basis, based on the application provision in SUP 16.23.1R should not be included).

Firms subject to the requirement and which have a different accounting reference date from the firm submitting the Annual Financial Crime Report on behalf of a group should have their firm reference numbers (FRNs) included in the group report list. They will then need to submit a nil return for the entity via the appropriate systems accessible from the FCA website.

For the purposes of completing this return, references to ‘customer’ or ‘client’ refer to customer or client relationships as defined in the FCA Handbook.

We will use the data we collect through this data item to assess the nature of financial crime risks within the financial services sector. Section 5 of this return is designed to allow the FCA to track the industry’s perception of the most prevalent fraud risks. A firm may not be specifically affected by the fraud typologies it considers most prevalent across the industry.

Data Elements

Group reporting

1A

Does the data in this report cover more than one authorised firm?

If the report is being submitted on behalf of a number of firms, firms should answer ‘yes’ to this question.

2A

If yes, list the FRNs of all additional firms included in this report.

Where a report is submitted on behalf of a number of firms, the submitting firm should report all of the FRNs of the firms included.

A firm listed in response to2 this question by another firm within its group will see the requirement marked as ‘satisfied for group’2 in the appropriate systems accessible from the FCA website. Firms to whom this applies do not need to report a separate nil return2.

Section 1: Operating jurisdictions

Please list:

3A

The jurisdictions within which the firm operates as at the end of the reporting period.

Input the3 country codes (in ISO 3166 format) of3 the jurisdictions within which the firm is operating as at the end of the reporting period.

Only those jurisdictions active as at the end of the reporting period should be reported; if a firm terminated operations within a jurisdiction during the reporting period, this jurisdiction does not need to be reported.

‘Operates’ for the purposes of this form is defined as where the firm carries on its business or has a physical presence through a legal entity.

For avoidance of doubt, this definition includes those jurisdictions in which the firm has representative offices. 5

Where a firm is operating in the UK as a branch or subsidiary of a foreign institution, it should report the operations of the UK branch or subsidiary rather than all jurisdictions where the firm operates.3

This question does not concern the geographical location of the firm’s customers or clients.3

This question is mandatory and must contain at least one entry, i.e. ‘GBR’.3

3B

Those jurisdictions assessed and considered high-risk by the firm.

Input the3 country codes (in ISO 3166 format) of3 the jurisdictions assessed and considered by the firm to be high-risk. As a minimum, firms3 should report any jurisdictions considered high-risk in which they operate. In addition, where a firm has conducted a Country Risk Assessment (i.e. it maintains a ‘high-risk jurisdiction list’) the jurisdictions that were the subject of such an assessment should be recorded in 3B.3

3

This question should be answered with regard to the firm’s own assessment of risk, which may or may not include the use of available public indices.

A firm should therefore leave this section blank if it does not operate in any high-risk jurisdictions nor carry out a country risk assessment.3

Firms who provide a positive response to question 17 (customers linked to high-risk jurisdictions) should also provide a response to question 3B. 3

Section 2: Customer information

Figures in this section should be for the number of customer or client relationships as at the end of the reporting period. It should include all accounts that are open, including dormant and inactive accounts. This would also include all current accounts, CTF bank accounts, client bank accounts and client transaction accounts. It excludes former customers or clients. Each party to a joint account should be recorded as a separate customer or client.3

Where the figure requested is ‘new in the reporting period’, a firm should report new (not pre-existing) customer or client relationships initiated within the reporting period. This should not include existing customers taking on new products. A firm should only provide figures in this section for those areas of its business subject to the Money Laundering Regulations.

For non-financial institutions which may carry out some3 regulated business (e.g. consumer credit), the firm should not include customers which are outside the scope of the Money Laundering Regulations3.

Firms should refer to sector specific industry guidance (i.e. JMLSG Guidance Part II) for additional information on who is their customer or client for the purposes of this section.3

Firms should ensure they record an entry in each field. Where a firm has no data to report it should record ‘0’.3

If any part of the firm’s business is subject to the Money Laundering Regulations, please provide the total number of the firm’s relationships with:

4A&B

Politically Exposed Persons (PEPs)

A definition of ‘Politically Exposed Person’ can be found in Regulation 35(12)(a). The figure should include family members and known close associates of PEPs, as defined in Regulation 35(12)(b) and (c)3 of the Money Laundering Regulations. These definitions should be read in conjunction with the guidance published by the FCA in FG17/6.3

Firms should report the number of customer or client relationships, either individual or corporate, which they have classified in accordance with FG17/63 as being a “higher risk”3 PEP, family member, known close associate or PEP-connected relationship3. They should not report the total number of PEPs associated with a particular corporate customer or client.

UK PEPs do not need to be reported as PEP customers. However, if there are other factors which might indicate higher risks, then this should be reported in Question 6A&B.3

Firms should not reclassify customers or clients for the purposes of completing this return. If firms do not classify or identify PEP-connected corporate entities as PEP customers or clients within their current policies, there is similarly no requirement to report.

3

The figure provided should include existing customer or client relationships that became PEPs in the reporting period.

Where a PEP has multiple relationships with the firm, that PEP should only be reported once in each of questions 4A and 4B.

5A&B

Non-EEA correspondent banks

This refers to situations where a credit institution has a correspondent banking relationship with a respondent institution from a non-EEA state. These terms are intended as set out in Regulation 34(4)(a)(i)3 of the Money Laundering Regulations. Non-credit institutions who do not hold these types of relationships should simply record zero in their response. In addition, for the purposes of reporting, a firm is not required to include any relationship that falls within Regulation 34(4)(a)(ii).3

6A&B

All other high-risk customers

This refers to a customer or client categorised as being 3high-risk for the purposes of compliance with Regulation 33(1)(a)3 of the Money Laundering Regulations, and therefore subject to Enhanced Customer Due Diligence measures, but not otherwise captured in response to question 4 or 5.

3

Existing customers who become high-risk during the relevant period should be included in the response to 6B.3

For the firm’s business subject to the Money Laundering Regulations:

7-16

Please provide the number of the firm’s customer relationships located in the following geographical areas:

The location for customer or client relationships should be determined by the location in which the customer or client is based. Where a customer or client has multiple addresses, the location reported should be the primary correspondence address as determined by the firm.

Where the relationship is with a trust, the firm should report the location as the location of the trust.

Note that question 7 is an aggregate figure, therefore responses recorded in questions 8 to 10 should be less than or equal to the figure recorded in response to question 7.3

Except for the United Kingdom and EEA, for the purposes of this question geographical areas should be determined with reference to SUP 16 Annex 42CG.

17

Please provide the number of the firm’s customers linked to those jurisdictions considered by the firm to be high-risk:

The firm should provide the number of customers judged by the firm to have links to jurisdictions identified by it as high-risk in question 3B. Therefore firms who provide customer numbers in response to question 17 should also provide a response to question 3B.3

Links to a high-risk jurisdiction, for the purposes of this question, means customers or clients that are resident/domiciled/incorporated in a jurisdiction identified as high-risk by the firm.

18A&B

Please provide the number of customer relationships refused or exited for financial crime reasons during the reporting period:

The number of ‘refused’ relationships refers to the number of customers or clients that the firm did not take on, where financial crime was the principal driver behind the decision. This could be at any stage of customer or client take-on.3

It would not include customers or clients whose application did not proceed because, for example, they lacked appropriate documentary evidence of identity or who failed Immigration Act 2014 checks. It would include customers or clients whose application was escalated to management (due to financial crime concerns) for a decision on whether to proceed, and was rejected.

‘Relationships exited’ covers any customers or clients with whom the firm ceased to do business where financial crime was the principal driver behind the decision. This would only include customers or clients exited from all lines of business.3

‘Relationships exited’ also3 covers criminal behaviour by the customer or client where such behaviour has a financial element, e.g. benefits fraud.

Section 3: Compliance information

Firms should ensure they record an entry in each field. Where a firm has no data to report it should record ‘0’.3

Please provide the number of suspicious activity reports (SARs) under Part 7 of the Proceeds of Crime Act 2002 (POCA):

19A

Submitted internally to the nominated officer/MLRO, within the firm, as at the end of the reporting period.

This includes reports filed internally from staff to the MLRO that relate to the staff member’s concerns, suspicions or knowledge of money laundering. The reported figure should include SARs generated by the AML/compliance function and system-generated SARs. These reports will be considered by the MLRO in order to decide whether a formal submission to the authorities is justified.

The figure should not include (either for staff-generated or system-generated SARs) any reports filtered out at an earlier stage.

19B

Disclosed to the National Crime Agency as at the end of the reporting period.

The number of SARs disclosed to the National Crime Agency within the reporting period, as at the end of the reporting period.

19C

The number of those SARs which were consent requests under s. 335 POCA.

The number of disclosed SARs which sought consent from the National Crime Agency within the reporting period, as at the end of the reporting period.

20

Please provide the number of SARs disclosed to the National Crime Agency under the Terrorism Act 2000 during the reporting period:

The number of SARs disclosed to the National Crime Agency under the Terrorism Act 2000 (including consent SARs) within the reporting period, as at the end of the reporting period.

21

Please provide the number of investigative court orders received as at the end of the reporting period:

This refers to production orders, disclosure orders, account monitoring orders and customer information orders as defined by the POCA, and/or the Terrorism Act 2000, received by the firm from law enforcement agencies or accredited financial investigators from other bodies as set out in an Order under section 453 of the POCA.

This would include, for example, investigative court orders relating to suspected benefits fraud.

The figure reported for this field should be the number of court orders received, regardless of the number of relationships to which these relate.

22A&B

Please provide the number of restraint orders being serviced/in effect as at the end of the reporting period and the number of new restraint orders received during the reporting period:

A ‘restraint order’ here refers to either a restraint order under section 42 of the POCA or a property freezing order under section 245A of the POCA.

The number of restraint orders being serviced should include all restraint orders which are still in effect as at the end of the reporting period.

The number of new restraint orders received should include all new restraint orders received by the firm during the reporting period, as at the end of the reporting period.

The figure reported for this field should be the number of restraint orders received, regardless of the number of relationships to which these relate.

23A&B

Please provide the number of relationships maintained with natural or corporate persons (excluding group members) which introduce business to the firm. Please also provide the number of these relationships which have been exited for financial crime reasons during the reporting period.

This question refers to individuals who, or corporate entities which, directly introduce customers or clients to the firm under a formal agency/broker agreement in return for a direct or indirect fee, commission or other monetary benefit.

If the firm makes no payment to the introducer (e.g. commission) it is not necessary to report these relationships.3

Legacy commission payments do not need to be included where these arrangements were made prior to the relevant reporting period.3

This question does not concern reliance as defined under Regulation 39 of the Money Laundering Regulations. 3

If the firm has appointed representatives (ARs):

24

Please provide the number of appointed representative (AR) relationships exited due to financial crime reasons:

Firms should report the number of existing AR relationships terminated for financial crime reasons during the reporting period.

If the firm has no appointed representatives it should record ‘0’.3

For all firms:

25

As at the end of the reporting period, please provide the total full time equivalent (FTE)3 of UK staff with financial crime roles:

Firms should provide an FTE figure on a reasonable endeavours basis.

For example, if the firm has 20 part time staff that work 50% of normal hours in a financial crime role,3 the figure would be 10 FTE.

This figure should cover staff in roles relating to anti-money laundering, counter-terrorist financing, anti-bribery and corruption, and fraud.3

This field facilitates the entry of numbers to two decimal places. Integers should therefore be provided in the format [n].00.

If this report is being completed on a group basis this figure should be the FTE for the specified group.

Where this report is being completed on a single regulated entity basis and services are shared across multiple firms, firms may provide an estimate of the FTE spent on each reported entity on a best endeavours basis.

In firms where financial crime responsibilities are divided up among staff with other roles rather than managed by a dedicated function, the figure should reflect the aggregated FTE spent on financial crime activity.

The phrase ‘financial crime roles’ for the purposes of this question is intended to cover staff employed in a dedicated financial crime function (for example AML or compliance teams) who deal with, or3 take decisions on financial crime issues. Therefore it would not cover teams or individuals responsible for collecting customer due diligence or those who submit internal suspicious activity reports.

Outsourced financial crime activities should not be included in this figure.

Of which:

26

Please provide the percentage of the FTE3 stated above dedicated to fraud3 responsibilities

Firms should provide a percentage figure3 on a reasonable endeavours basis. This field facilitates the entry of numbers to two decimal places. Integers should therefore be provided in the format [n].00.

Firms should note that this question requires them to provide the percentage of financial crime staff dedicated to fraud (i.e. of the total number provided in response to Q25, what proportion of staff deal with fraud only). This field should contain a value between 0 and 100 (to two decimal places).3

If this report is being completed on a group basis this figure should be the percentage for the specified group.

Where this report is being completed on a single regulated entity basis and services are shared across multiple firms, firms may provide an estimate of the percentage spent on each reported entity on a best endeavours basis.

Section 4: Sanctions-specific information

27

Does the firm use an automated system (or systems) to conduct screening against relevant sanctions lists?

Firms should answer ‘Yes’ or ‘No’. Note there is no explicit regulatory or legal requirement for the use of automated screening tools. This question relates to automated systems for screening customers and clients only.

Relevant sanctions lists are the lists against which the firm screens its customers and clients.

28A&B3

How many TRUE sanctions3 matches were detected during the reporting period?

The number of confirmed true sanctions alerts which matched against the firm’s customer, client or payment.

The number to be reported relates to any matches against any relevant sanctions lists and is defined as any matches reported to the relevant authorities, regardless of whether these are confirmed as true by the authority.

Relevant sanctions lists are the lists against which the firm screens its customers or clients.

Where no true sanctions matches were detected, firms should record ‘0’.3

29

Does the firm conduct repeat customer sanctions screening?

Firms should answer ‘Yes’ or ‘No’.

This question relates to repeat customer or client sanctions screening only.

Section 5: Fraud

30-35A-D

Please indicate the firm’s view of the top three most prevalent frauds which the FCA should be aware of and whether they are increasing, decreasing or unchanged.

NB. This question is not mandatory.

This question is designed to obtain the firm’s view on the most prevalent frauds relevant to the firm’s business and will be used by the FCA to understand whether the organisation is aware of the fraud risks identified by the broader industry.

The fraud typologies available in the dropdown list are a subset taken from the Action Fraud A-Z of fraud types and are specified below. Please refer to the Action Fraud definitions in answering this question.

The identified fraud typologies may or may not be those by which the firm has been specifically impacted, but should be those that the firm considers most prevalent as at the end of the reporting period.

Fraud typologies

419 emails and letters

Abuse of position of trust

Account takeover

Advance fee fraud

Application fraud

Asset misappropriation fraud

Bond fraud

Carbon credits fraud

Cashpoint fraud

Cheque fraud

Companies – fraudulent

Computer hacking

Credit card fraud

Debit card fraud

Expenses fraud

Exploiting assets and information4

Fraud recovery fraud

Hedge fund fraud

Identity fraud and identity theft

Insurance fraud

Landbanking fraud

Loan repayment fraud

Short and long firm fraud

Malware-enabled fraud

Mandate fraud

Mortgage fraud

Other (to be used where the specified typologies are not applicable). Please provide the fraud type in the free text box.

Other investment fraud

Pension liberation fraud

Phishing

Ponzi schemes

Procurement fraud

Pyramid schemes

Share sale fraud

Smishing

Vishing

Suspected perpetrators

Customer

Internal employee

Organised crime group

Other (to be used where the suspected perpetrator typologies are not applicable). Please provide the perpetrator type in the free text box.

Third party contractor

Third party professional

Third party supplier

Unknown third party

Primary Victim

Customer

Other (to be used where the suspected perpetrator is neither a customer nor a regulated firm/electronic money institution/payment institution4). Please provide the primary victim type in the free text box.

Regulated firm/electronic money institution/payment institution4 (all jurisdictions).

Incidence

Decreasing

Emerging risk

Increasing

Stable