In today’s dynamic financial landscape, the threat of Financial Crime looms larger than ever. Regardless of whether you’re a global conglomerate or a regulated small-scale enterprise, the imperative to combat and forestall Financial Crime is centre stage. This imperative is not solely about financial ramifications; it encompasses a far-reaching spectrum that spans reputational damage, brand erosion, dwindling employee morale, strained business relationships, and the spectre of regulatory reprimand.

Enter the Financial Conduct Authority (FCA), wielding its regulatory mandate to ensure that authorised entities shore up their defences against becoming unwitting conduits for Financial Crime. The FCA’s mandate stipulates the establishment of systems and controls that pre-empt the exploitation of financial platforms for nefarious purposes. The litmus test for businesses is their ability to substantiate the deployment of robust governance, effective risk protocols, and comprehensive internal mechanisms, all calibrated to navigate the labyrinth of financial crime risk.

In this arena of unrelenting challenge, ComplyPortal introduces the Financial Crime Benchmarking Programme.

ComplyPortal’s Financial Crime Benchmarking Programme—curated by our in-house compliance experts consists of a series of incisive questionnaires, adeptly engineered to empower organisations in assessing their existing financial crime strategies. The goal: to unearth latent vulnerabilities that warrant immediate attention. This includes:

• Governance: A meticulously designed compass to navigate the intricate terrain of compliance.
• Structure, Accountabilities, and Responsibilities: A blueprint for delineating roles and obligations with precision.
• Risk Assessments: A magnifying lens to potential vulnerabilities.
• Policies and Procedures: Systematic protocols that inoculate against illicit activities.
• Recruitment, Vetting, Training & Awareness: A roadmap for nurturing a workforce that is both vigilant and resilient.
• Oversight, Monitoring & MI: A surveillance mechanism mitigating blind spots.

Acquire Your Financial Crime Advantage Today

For a nominal investment of £795 plus VAT, you can fortify your institution’s financial crime resilience. Upon purchase, you will gain exclusive online access to all six meticulously crafted questionnaires through our ComplyPortal platform. This interface empowers you to seamlessly navigate, diligently complete, meticulously review, and conveniently download your Financial Crime Benchmarking Programme

Elevate your financial crime risk management. Acquire ComplyPortal’s Financial Crime Benchmarking Programme today.

With regulator increasing scrutiny on financial crime controls, how does your firm measure up? 

In an effort to provide a better experience for consumers, we often see a desire to make the client onboarding process as quick and easy as possible for the end user. However, this also seems to be attracting the attention of criminals—specifically those who intend to set up “money mule networks”.

To capture potential customer interest, financial firms and banks may promote their quick and efficient onboarding process. The ability to open accounts easily and within minutes might make procedures of the traditional high street bank seem draconian in comparison. However, is it equally draconian to consider that with increased speed comes increased scope for error?

As an example of increased FCA scrutiny, the FCA recently reviewed a sample of challenger banks to obtain a clearer picture of how these institutions are exposed to financial crime risk—especially money laundering. Their analysis was focused on (but not limited to) the following financial crime procedures within the firms reviewed:

• Governance and management information
• Policies and procedures
• Risk assessments
• Identification of high risk / sanctioned individuals or entities
• Due diligence and ongoing monitoring
• Communication, training, and awareness

Observations

Changing and updating processes in the name of progress is a valid and noble idea, but not when that change leads to wider scope for abuse by the criminal fraternity and increased and unnecessary exposure to risk for the consumer in general—particularly those that are more vulnerable than others.

Through this review, the regulator concluded that, although challenger banks rely on fast customer growth in order to expand, this does not mean that they must sacrifice their compliance with Customer Due Diligence (CDD) obligations as set out within the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLRs) (as amended).

It would appear the regulator seems to be acknowledging the success and advantages that the challenger banks provide, whilst on the other hand requiring their financial crime frameworks to mirror the more traditional model. The ideal approach appears to be one that can offer a hybrid model of speed, agility, and tradition.

How ComplyPortal can help

Regtech and compliance management technology offer compliance officers tools to balance the many demands of demonstrating control of compliance responsibilities. For example, ComplyPortal’s Monitoring module helps to continuously monitor tasks while producing a full reporting and audit trail to demonstrate continuous monitoring to the regulator.

Additionally, tools like the visual ‘heatmap’ in ComplyPortal’s Risk module help firms to map risks and track both inherent and residual risk scores which could impact their firm’s financial crime procedures. This allows firms to easily visualise and focus on those controls which are most important at mitigation of highest risk areas.

Compliance teams can also ensure staff awareness of company procedures through ComplyPortal’s Attestations module. Users can efficiently send reminders for staff to affirm their understanding of policies and procedures and how they can contribute to minimising financial crime risks throughout a firm.

Using software to assist and centralise areas of compliance gives compliance officers more time and freedom for complex tasks like long-term strategizing and planning for current and future operational risks.

Find out more about how the ComplyPortal platform can help firms adapt to new regulatory expectations at: https://complyportal.uk/modules

About ComplyPortal:

First developed in 2011 by compliance professionals for compliance officers, ComplyPortal offers workflow, automation, and several modules to help firms with control and regulatory compliance monitoring.

ComplyPortal simplifies financial services regulatory compliance management on an easy-to-use cloud-based comprehensive compliance platform. It enables compliance officers, risk officers and senior management to keep track of their firm’s regulatory responsibilities and workflows. Our platform includes the following modules, among others:

• Monitoring: a year-round schedule pre-populated with monitoring questionnaires to ease compliance processes.
• Registers: lists controlled by the Compliance officer, but easy for staff to view.
• Risk: map and control risk areas to effectively identify and manage risk for your firm.
• eKYC solution: perform comprehensive searches, including client identity verification, document authenticity, and more for a comprehensive KYC and AML approach

On 1 March 2021, the EBA published its final report setting out revised guidelines on customer due diligence (CDD) and the factors credit and financial institutions should consider when assessing money laundering (ML) and terrorist financing (TF) risk associated with business relationships and occasional transactions under Articles 17 and 18(4) of Fourth Money Laundering Directive (EU 2015/849) (MLD4).

MLD4 and a risk-based approach

The anti-money laundering directives are the key pieces of legislation which make up the current European Union anti-money laundering (AML) and counter-terrorist financing (CTF) regime. MLD4 placed a risk-based approach at the center of the regime. As the risk of ML and TF can vary, a risk-based approach helps to manage that risk effectively. MLD4 was required to be transposed into national law by 26 June 2017.

Guidelines

The greater emphasis in MLD4 on a risk-based approach meant that there was a greater need for guidance for National Competent Authorities (NCAs) and firms. Under MLD4, the European Supervisory Authorities (ESAs) were required to issue guidelines by 26 June 2017, addressed to NCAs and firms, on the risk factors firms should take into consideration and the measures they should take in situations where simplified or enhanced customer due diligence (CDD) would be appropriate. The aim was to promote a common understanding, by firms and competent authorities, of what the risk-based approach to AML/CFT entails and how it should be applied.

The Final Guidelines (JC/2017/37) were published on 26 June 2017. The guidelines have applied since 26 June 2018. Guidelines are addressed to NCAs and firms and their purpose is to clarify the supervisory expectations and to enhance the convergence of supervisory practices. Although they are non-binding, NCAs and firms to whom guidelines are addressed are expected to comply with them (on a “comply or explain” basis).

MLD5 and ESA ongoing work

On 19 June 2018, the Fifth Money Laundering Directive (EU 2018/843) (MLD5) entered into force. MLD5 was required to transpose into national law by 10 January 2020. MLD5 amended MLD4 to strengthen the fight against terrorist finance and ensure the increased transparency of financial transactions. As a result, the Guidelines needed to be updated to take account of the new legal framework. At the same time, the ESAs’ ongoing work on ML/TF risk highlighted several areas where significant differences continued to exist in firms’ approaches to AML/CFT.

The EBA’s new role

Since 1 January 2020, the responsibility to produce these guidelines (and to update them) has been passed to the European Banking Authority (EBA), by virtue of Article 3(3) of the Omnibus Directive amending Article 17 of MLD4, giving the EBA powers to lead, co-ordinate and monitor efforts to strengthen AML and CTF measures across the EU in respect of financial institutions.

The EBA launched a consultation on a revised version of the guidelines on 5 February 2020 proposing changes to reflect MLD5, as well as concerns identified by the ESAs.

The revised guidelines

On 1 March 2021, the EBA published its final revised guidelines.

General Guidelines

The EBA has provided more details to existing central parts of the guidelines, as well as adding new guidance on emerging risks:

• business-wide and individual ML/TF risk assessments;
• customer due to diligence measures including the identification of the beneficial owner and
• enhanced due diligence in relation to high risk third countries;
• TF risk factors; and
• emerging risks, such as the use of innovative solutions for CDD purposes.

High risk third countries

The revised Guidelines require firms to carefully assess the risks associated with business relationships and transactions where the customer is known to maintain close personal or professional links with a high-risk third country, or beneficial owner(s) is/are known to maintain close personal or professional links with a high-risk third country.

Beneficial ownership

Under the revised guidelines, when discharging their obligations set out in Article 13(1)(b) of MLD4 to understand the customer’s ownership and control structure, firms should:

• ask the customer who their beneficial owners are;
• document the information obtained; and
• then take all necessary and reasonable measures to verify the information: to achieve this, firms should consider using beneficial ownership registers where available.

Beneficial ownership registers – Firms should be mindful that using information contained in beneficial ownership registers does not, in itself, fulfil their duty to take adequate and risk-sensitive measures to identify the beneficial owner and verify their identity. Firms may have to take additional steps to identify and verify the beneficial owner, specifically where the risk associated with the business relationship is increased or where the firm has doubts that the person listed in the register is the ultimate beneficial owner.

Control through other means – Firms should also take reasonable measures to understand the customer’s ownership and control structure. The measures firms take to understand the customer’s ownership and control structure should be sufficient so that the firm can be reasonably satisfied that it understands the risk associated with different layers of ownership and control. In particular, firms should be satisfied that, the customer’s ownership and control structure are not unduly complex or opaque; or complex or opaque ownership and control structures have a legitimate legal or economic reason.

Firms should pay particular attention to persons who may exercise ‘control through other means. Examples of ‘control through other means’ firms should consider include:

• control without direct ownership, for example through close family relationships, or historical or contractual associations;
• using, enjoying or benefiting from the assets owned by the customer;
• responsibility for strategic decisions that fundamentally affect the business practices or general direction of a legal person.

Identifying the customer’s senior managing officials – Firms should resort to identifying the customer’s senior managing officials as beneficial owners only if:

• They have exhausted all possible means of identifying the natural person who ultimately owns or controls the customer;
• Their inability to identify the natural person who ultimately owns or controls the customer does not give rise to suspicions of ML/TF; and
• They are satisfied that the reason given by the customer as to why the natural person who ultimately owns or controls the customer cannot be identified is plausible.

De-risking

EBA also reiterates that there is no requirement for financial institutions to discontinue services to entire categories of customers that they associate with higher ML/TF risk (so-called ‘de-risking’). Instead, firms should balance the need for financial inclusion with the need to mitigate and manage ML/TF risk.

The EBA had launched a separate Call for Input in 2020, to understand why financial institutions choose to de-risk and therefore exacerbate financial exclusion, instead of managing the risks associated with certain sectors or categories of customers. The Call for Input received more than 300 responses by the deadline in September 2020 and the EBA is assessing the implications for its policy development in this area. The feedback gathered from this Call will potentially feed into other EBA outputs.

Electronic identification

Where a business relationship is initiated, established, or conducted in non-face to face situations or an occasional transaction is done in non-face to face situations, firms should take adequate measures to be satisfied that the customer is who he claims to be and assess whether the non-face to face nature of the relationship or occasional transaction gives rise to increased ML/TF risk. The use of electronic means of identification does not of itself give rise to increased ML/TF risk, especially where these electronic means provide a high level of assurance.

Moreover, MLD4 is technology neutral and firms may choose to use electronic or documentary means, or a combination thereof, to evidence their customers’ identity. Firms that use or intend to use innovative technological means for identification and verification purposes should assess the extent to which the use of innovative technological solutions can address, or might exacerbate, the ML/TF risks, particularly in non-face to face situations. Firms that use an external provider, rather than develop their own innovative solution in-house, remain ultimately responsible for meeting their CDD obligations.

Monitoring

Firms should put in place systems and controls to keep their assessments of the ML/TF risk associated with their business, and with their individual business relationships under review to ensure that their assessment of ML/TF risk remains up to date and relevant. The level, frequency and intensity of monitoring may be adjusted in a way that is commensurate to the ML/TF risk associated with the customer or the transactions. In high-risk situations, firms should consider whether enhanced ongoing monitoring of the relationship would be appropriate, including increasing the frequency of reviews to be satisfied that the firm continues to be able to manage the risk associated with the individual business. The guidelines list additional enhanced due diligence measures that may be of particular relevance in different sectors.

Sector-specific Guidelines

In addition, since the first publication of these Guidelines in 2017, the financial sector has evolved and existing and emerging risks have been identified. Therefore, new sectoral guidelines need to be included so as to tackle the specific AML/CFT risks of those sectors and to promote convergence in relation to the following sectors:

• crowdfunding platforms
• corporate finance
• account information service providers (AISPs)
• payment initiation services providers (PISPs), and
• firms providing activities of currency exchanges offices.

Next steps and Timing of application of revised guidelines

The guidelines will be translated into the official EU languages and published on the EBA website and will apply three months after publication in all EU official languages. Upon the date of application, the original guidelines will be repealed and replaced with the revised guidelines.

For more insight on compliance technology options and benefits, visit https://complyportal.uk/modules/ and find out how our straightforward, comprehensive compliance technology solution can help you and your organisation.

About ComplyPortal:

First developed in 2011 by compliance professionals for compliance officers, ComplyPortal offers workflow, automation, and several modules to help firms with control and regulatory compliance monitoring.

ComplyPortal simplifies financial services regulatory compliance management on an easy-to-use cloud-based comprehensive compliance platform. It enables compliance officers, risk officers and senior management to keep track of their firm’s regulatory responsibilities and workflows. Our platform includes the following modules, among others:

• Monitoring: a year-round schedule pre-populated with monitoring questionnaires to ease compliance processes.
• Registers: lists controlled by the Compliance officer, but easy for staff to view.
• Risk: map and control risk areas to effectively identify and manage risk for your firm.
• eKYC solution: perform comprehensive searches, including client identity verification, document authenticity, and more for a comprehensive KYC and AML approach

CLICK HERE TO GET STARTED!

While Europe’s financial institutions are struggling to absorb the shock caused by the COVID-19 pandemic, security risks and the frequency of Information and Communications Technology (ICT) and security-related incidents (including cyber incidents) are rising, which, in turn, has the potential to adversely impact financial institutions’ operational functioning.

The financial sector’s increasing digitalisation and the growing interconnectedness between financial institutions and third parties make financial institutions’ operations vulnerable to internal and external ICT and security risks that could potentially compromise their viability. As a result, sound ICT and security risk management are key for a financial institution to achieve its strategic, corporate, operational and reputational objectives.

For this reason, the European Banking Authority (EBA) issued its Guidelines on ICT and security risk management which entered into force on 30 June 2020. These guidelines set out EBA’s expectations on how financial institutions should manage the internal and external ICT and security risks.

Do you meet the requirements?

• Financial institutions have adequate internal governance and internal control framework in place for their ICT and security risks. The management and mitigation of ICT and security risks through an independent and objective control function, appropriately segregated from ICT operations processes and not responsible for any internal audit, and an independent internal audit function.
• Maintain up-to-date inventories of business functions and assess the operational risks related to ICT and the security risks and determine what measures are required to mitigate the identified risks.
• Requirements to implement effective information security measures, including having an information security policy in place; establishing, implementing and testing information security measures; and establishing a training programme for all staff and contractors.
• Requirements for ICT operations management including requirements to improve, when possible, the efficiency of ICT operations; implement logging and monitoring procedures for critical ICT operations; maintain an up-to-date inventory of ICT assets; monitor and manage the life cycle of ICT assets; and implement backup plans and recovery
• Requirements for ICT project and change management, including the acquisition, development and maintenance of ICT systems and services.
• Business continuity management and developing response and recovery plans, including testing, and their consequent updating based on the test results. Ensure effective crisis communication measures in place so that all relevant internal and external stakeholders can be informed in a timely manner.

If you don’t know where to start and are uncertain as to the security risks that exist in your organisation and how they should be identified and controlled, we are here to help you.

For more insight on compliance technology options and benefits, visit https://complyportal.uk/modules/ and find out how our straightforward, comprehensive compliance technology solution can help you and your organisation.

About ComplyPortal:

First developed in 2011 by compliance professionals for compliance officers, ComplyPortal offers workflow, automation, and several modules to help firms with control and regulatory compliance monitoring.

ComplyPortal simplifies financial services regulatory compliance management on an easy-to-use cloud-based comprehensive compliance platform. It enables compliance officers, risk officers and senior management to keep track of their firm’s regulatory responsibilities and workflows. Our platform includes the following modules, among others:

• Monitoring: a year-round schedule pre-populated with monitoring questionnaires to ease compliance processes.
• Registers: lists controlled by the Compliance officer, but easy for staff to view.
• Risk: map and control risk areas to effectively identify and manage risk for your firm.
• eKYC solution: perform comprehensive searches, including client identity verification, document authenticity, and more for a comprehensive KYC and AML approach

CLICK HERE TO GET STARTED!