FCA and PRA licenses (authorisations) and ongoing compliance support, training, recruitment. Contact us 7 days a week, 8am-11pm. Free consultations. Phone / Whatsapp: +4478 3368 4449 Email: hirett.co.uk@gmail.com
1 FINANCIAL CRIME RISK ASSESSMENT
Goal:
- To apply Customer Due Diligence (CDD) measures (to identify/verify customers and to understand the nature and purpose of the proposed relationship);
- To maintain appropriate systems and controls for AML/CTF purposes;
- To monitor customer transactions and activities;
- To report suspicious activity, both internally and, if appropriate, externally;
- To keep appropriate records, and train staff;
- To comply with the UK financial sanctions regime.
Useful resources:
- Proceeds of Crime Act 2002 (as amended)
- Terrorism Act 2000, and the Anti-terrorism,
- Crime and Security Act 2001
- Counter-Terrorism Act 2008, Schedule 7 Financial sanctions
- Money Laundering Regulations 2017,
- FCA regulated firms – the FCA Handbook
| Risk ID | Process | What is the potential | What would result if this | What process do we | How will this be done? Who by and what will they be |
| title or | risk? | occurred? | have in place to control | looking for? | |
| description | the risk? | ||||
| AML/R1 | CDD — | The customers are not | The PM does not know their | SDD accounts have a | SDD accounts are clearly marked within the system and |
| Onboarding | who they say they are, | customer. | lifetime relationship limit | SDD limits are enforced on such accounts. | |
| for SDD | the customer is not | and are subject to | |||
| identified properly | A lack of or out of date AML / | enhanced ongoing | |||
| KYC / fraud procedures leads | monitoring. | ||||
| to a breach of legislative | |||||
| requirements resulting in | |||||
| regulatory censure or legal | |||||
| action | |||||
| AML/R2 | CDD — | The customer provides | The PM does not know their | As part of the verification | When a client reaches a certain account threshold, a check |
| Verification | incorrect address | customer. | process, we check | is automatically run and is reviewed by compliance | |
| for EDD | information | customer’s address against | specialist. A certified third-party provider is used to access | ||
| A lack of or out of date AML / | various databases from | databases to run background checks. | |||
| KYC / fraud procedures leads | industry’s leading | ||||
| to a breach of legislative | information provider — | Account thresholds are the following: | |||
| requirements resulting in | LexisNexis Bridger | SDD account threshold: annual transaction volume up to | |||
| regulatory censure or legal | |||||
| action | 1000EUR | ||||
| EDD account threshold: annual transaction volume up to | |||||
| 15.000EUR | |||||
| EDD + source of funds threshold: annual transaction | |||||
| volume more than 15.000EUR | |||||
| AML/R3 | CDD — | The customer provides | The PM does not know their | We run image manipulation | As soon as we receive documents from the customer, we |
| Verification | fraudulent/altered | customer. | tests on all documents that | run a check if documents were altered or amended using the | |
| for EDD | documents | are received from the | following algorithms: | ||
| A lack of or out of date AML / | customer. | ||||
| KYC / fraud procedures leads | Signature Analysis | ||||
| to a breach of legislative | Thumbnail Analysis | ||||
| requirements resulting in | Error Level Analysis | ||||
| regulatory censure or legal | JPEG Ghosts | ||||
| action | Block Artifact Grid | ||||
| Stamp | |||||
| AML/R4 | Internal risks | PM is unable to verify | The PM does not have | The user would not be able | Such accounts are reviewed by trained compliance |
| — Verification | customer | the skills, experience or | to access the majority of | specialist, extra background checks will be completed | |
| for EDD | means to identify and | services and would have | |||
| verify the customer | SDD limits enforced on | ||||
| A lack of or out of date | their accounts. | ||||
| AML / KYC / fraud | |||||
| procedures leads to a | |||||
| breach of legislative | |||||
| requirements resulting in | |||||
| regulatory censure or | |||||
| legal action | |||||
| AML/R5 | CDD — | Ongoing monitoring of | Failure to identify and | Real-time monitoring, | The essentials of system of monitoring are: |
| Ongoing | Customer relationship | report suspected money | where transactions | ||
| monitoring | laundering. | and/or activities can | it flags up transactions and/or activities for further | ||
| Failure to keep customer | be reviewed as they | examination with an appropriate RiskID | |||
| data up to date | take place or are | these reports are reviewed with 24 hours by the | |||
| throughout the customer | about to take place | designated compliance officer | |||
| relationship. | After the event, | appropriate action is taken on the findings of any | |||
| Failure to appropriately | through some | further examination (account suspension, senior | |||
| react to risk-based | independent review | management notification, risk-profile change) | |||
| triggers | of the transactions | ||||
| and/or activities that | |||||
| a customer has | |||||
| undertaken | |||||
| AML/R5-1 | CDD — | Ongoing monitoring of | Changes in a customer’s | Real-time monitoring, | The essentials of system of monitoring are: |
| Ongoing | Customer relationship | circumstances are not | where transactions | ||
| monitoring | monitored. | and/or activities can | it flags up transactions and/or activities for further | ||
| Failure to identify a | be reviewed as they | examination based on the account historical | |||
| dormant account | take place or are | transaction volume | |||
| reactivation and | about to take place | all users are obliged to verify the device used for | |||
| unauthorised use. | account access using device fingerprinting technology | ||||
| upon reactivation of dormant accounts extra checks | |||||
| are being carried out, including enhanced transaction | |||||
| monitoring and lower velocity limits | |||||
| AML/R6 | CDD — | Customers are accepted | Potential breach of | We do not onboard clients | In order to get the full use of the account, customer must |
| Onboarding | from a jurisdiction which | permission | from high-risk jurisdictions | successfully pass the account verification procedures. | |
| for SDD | has not been approved | A lack of or out of date | |||
| for the product | AML / KYC / fraud | Countries List.xlsx | Proof of Address documents from high-risk countries | ||
| procedures leads to a | are not accepted. | ||||
| breach of legislative | We limit an access from high-risk jurisdictions based | ||||
| requirements resulting in | on the IP/location data. | ||||
| regulatory censure or | |||||
| legal action. | |||||
| AML/R7 | CDD | The customer is a | The business do not | We run a check against | Enhaced due diligence is applied to such customers |
| —Screening | Politically Exposed | identify where EDD | several databases to verify | Senior management approval in necessary in order to | |
| Person (PEP) | should be completed. | if the client is a PEP | interact with such person. | ||
| There is no process for | PEP customers are also subject to enhanced ongoing | ||||
| dealing with a PEP | monitoring of the business relation. | ||||
| should they be identified | Source of wealth and source of funds which are | ||||
| A lack of or out of date | involved in the business relationship or occasional | ||||
| AML / KYC / fraud | transaction are verified with reference to documents; | ||||
| procedures leads to a | |||||
| breach of legislative | |||||
| requirements resulting in | |||||
| regulatory censure or | |||||
| legal action | |||||
| AML/R8 | CDD — | The customer appears on | Having a customer who | Prior to onboarding a | If a customer appears on the sanction list, it would not be |
| Screening | one or more of the | is on a sanctions list is in | client, we check customer | possible to set up an account with us or to use any services. | |
| following Sanctions lists: | breach of the terrorist | against sanction lists | |||
| financing legislation. | Customer’s account would get blocked by MLRO and senior | ||||
| HMT List | A lack of or out of date | management would be notified. | |||
| OFAC List | AML / KYC / fraud | ||||
| EU Consolidated | procedures leads to a | ||||
| List | breach of legislative | ||||
| requirements resulting in | |||||
| regulatory censure or | |||||
| legal action | |||||
| Sanctions | An existing customer | The business do not | Ongoing screening of | If a customer appears on the sanction list, all funds will be | |
| Ongoing | becomes a sanctioned | identify where EDD | existing customers against | frozen and a report will be sent out to the HM Treasury and | |
| Screening | individual during the | should be completed. | sanction lists | NCA for further course of actions | |
| course of the | |||||
| AML/R9 | relationship. | The risk in dealing with | |||
| someone on the | |||||
| HMT List | sanctions list is that we | ||||
| OFAC List | are in breach of the | ||||
| EU Consolidated | terrorist financing | ||||
| List | legislation. | ||||
| A lack of or out of date | |||||
| AML / KYC / fraud | |||||
| procedures leads to a | |||||
| breach of legislative | |||||
| requirements resulting in | |||||
| regulatory censure or | |||||
| legal action | |||||
| AML/R10 | Sanctions | The PM does not have | A potential sanctions | Possible sanction list | Our system will highlight any possible matches and all |
| screening | an effective process to | match is identified but | matches are filtered for a | cases will be reviewed by trained compliance officer. | |
| analysis | analyse fuzzy matches. | not qualified or | review | Additional documentation will be requested before the | |
| eliminated. | customer gets onboarded to make sure that it is a | ||||
| The risk in dealing with | false-positive match. | ||||
| someone on the | |||||
| sanctions list is that we | |||||
| are in breach of the | |||||
| terrorist financing | |||||
| legislation. | |||||
| A lack of or out of date | |||||
| AML / KYC / fraud | |||||
| procedures leads to a | |||||
| breach of legislative | |||||
| requirements resulting in | |||||
| regulatory censure or | |||||
| legal action | |||||
| AML/R11 | CDD — | The card is obtained by | The card has been | Card activation is a | All of our customers would need to activate the card |
| Fraud | someone other than the | obtained fraudulently. | separate step that has to | prior to use, | |
| customer | A lack of or out of date | be done by the customer | During the activation, personal information will be | ||
| AML / KYC / fraud | asked and checked against our internal records. | ||||
| procedures leads to a | |||||
| breach of legislative | |||||
| requirements resulting in | |||||
| regulatory censure or | |||||
| legal action | |||||
| AML/R12 | CDD | Multiple cards are | The card has been | Automated address | If the card order has the same delivery address as the other |
| —Onboarding | provided to the same | obtained fraudulently. | monitoring | user already has, an application will be put on hold and sent | |
| person (e.g. using | A lack of or out of date | for a review by a compliance officer. | |||
| different names but living | AML / KYC / fraud | ||||
| at the same address) | procedures leads to a | ||||
| breach of legislative | |||||
| requirements resulting in | |||||
| regulatory censure or | |||||
| legal action | |||||
| AML/R13 | Product | The customer has access | Increased exposure to | Card limits are signed off | In order to have increased card limits, the customer |
| Construct | to higher limits than | financial crime and / or | by BIN sponsor and | would have to fully verify the account. | |
| required | fraud activity related to | enforced by Processor | Unverified customers do not have an access to higher | ||
| money laundering | rules. | limits | |||
| A lack of or out of date | |||||
| AML / KYC / fraud | |||||
| procedures leads to a | |||||
| breach of legislative | |||||
| requirements resulting in | |||||
| regulatory censure or | |||||
| legal action | |||||
| AML/R14 | Product | The customer has access | Increased exposure to | Wallet/velocity parameters | An access to higher limits is given only to the fully |
| Construct | to purse parameters / | financial crime and / or | are signed off by BIN | verified accounts, based on the decision of a | |
| velocity limits which are | fraud activity related to | sponsor and enforced by | compliance officer and subject to all the necessary | ||
| not required | money laundering | Processor rules. | checks being carried out. | ||
| A lack of or out of date | There is no option for an automatic increase of the | ||||
| AML / KYC / fraud | limits. | ||||
| procedures leads to a | |||||
| breach of legislative | |||||
| requirements resulting in | |||||
| regulatory censure or | |||||
| legal action | |||||
| AML/R15 | Receiving | Funds are received from | Money is received from | Third-party account top ups | Third-party deposits into the account are prohibited and |
| Funds | a third party | an unverified 3rd party | are prohibited and get | would get refunded back to the sender. | |
| which is then laundered | refunded back to the payer. | ||||
| A lack of or out of date | |||||
| AML / KYC / fraud | |||||
| procedures leads to a | |||||
| breach of legislative | |||||
| requirements resulting in | |||||
| regulatory censure or | |||||
| legal action | |||||
| AML/R16 | Receiving | We do not understand | Money is received from | Corporate accounts have | Card loads are limited to corporate loads only, with all the |
| Funds | the Source of funds | an unverified 3rd party | to pass EDD in order to be | corporate accounts being fully EDD. | |
| routinely loaded to the | which is then laundered | able to top up the PM | |||
| card | A lack of or out of date | prefunding account. | |||
| AML / KYC / fraud | |||||
| procedures leads to a | |||||
| breach of legislative | |||||
| requirements resulting in | |||||
| regulatory censure or | |||||
| legal action | |||||
| AML/R17 | Initial Account | The source of the initial | Increased exposure to | Unusually high load would | Whenever customer is making an unusually high load, such |
| Loading | load is unknown and / or | financial crime and / or | flag the account. | account does get flagged and then reviewed by the trained | |
| unusually high | fraud activity related to | compliance specialist. A source of funds confirmation would | |||
| money laundering | be obtained. | ||||
| A lack of or out of date | |||||
| AML / KYC / fraud | |||||
| procedures leads to a | |||||
| breach of legislative | |||||
| requirements resulting in | |||||
| regulatory censure or | |||||
| legal action | |||||
| AML/R18 | Transaction | PM does not | The product is used for | Automated transaction | We use the automated transaction monitoring system which |
| Monitoring | identify any | fraud and / or money | monitoring | uses a variety of techniques to detect any | |
| unusual or | laundering purposes | unusual/suspicious activity. Based on third party provider | |||
| suspicious activity | A lack of or out of date | (GPS protect) we screen each transaction against more than | |||
| on the cardholder’s | AML / KYC / fraud | 200 rules and approve/reject it in real time. | |||
| account | procedures leads to a | ||||
| breach of legislative | |||||
| requirements resulting in | |||||
| regulatory censure or | |||||
| legal action | |||||
| AML/R19 | Reporting | Knowledge or | A lack of or out of date | Training and reporting | All members of the staff undergo training and must |
| Suspicion | suspicion of | AML / KYC / fraud | report any suspicious activity to the compliance officer. | ||
| Account | financial crime is | procedures leads to a | If necessary further reports are sent to NCA. | ||
| activity | identified but not | breach of legislative | Reports are generated automatically and are reviewed | ||
| reported | requirements resulting in | by the MLRO to make sure the submission is done on | |||
| regulatory censure or | time. | ||||
| legal action | |||||
| AML/R20 | Tipping Off | Cardholder is | A lack of or out of date | Training | All members of staff are aware that |
| notified that a SAR | AML / KYC / fraud | disclosing an information regarding internal or external | |||
| has been submitted | procedures leads to a | report has been made is a criminal offence. | |||
| (‘Tipping Off’) | breach of legislative | ||||
| requirements resulting in | |||||
| regulatory censure or | |||||
| legal action | |||||
| AML/R21 | Fraud | Unauthorised | Increased exposure to | Extensive security | Our system analyses client information during the log |
| Management | persons attempt to | financial crime and / or | measures | in process, device fingerprint, IP address and location | |
| access a | fraud activity related to | are checked against our records. | |||
| customers account | money laundering | Customers are notified about the importance of use of | |||
| A lack of or out of date | 2FA authentication in order to prevent unauthorised | ||||
| AML / KYC / fraud | access to the account | ||||
| procedures leads to a | |||||
| breach of legislative | |||||
| requirements resulting in | |||||
| regulatory censure or | |||||
| legal action | |||||
| AML/R22 | Lost & Stolen | The customer loses their | A lack of or out of date | Automated transaction | We use the automated transaction monitoring system |
| cards | card and it is used by | AML / KYC / fraud | monitoring | which uses a variety of techniques to detect any | |
| somebody else | procedures leads to a | unusual/suspicious activity and to block such cards in | |||
| breach of legislative | case of the theft. | ||||
| requirements resulting in | There is an option to block the card via the web | ||||
| regulatory censure or | interface or on a mobile app. | ||||
| legal action | 24/7 IVR line is available in case customer doesn’t | ||||
| have an access to the internet. | |||||
| AML/R23 | Card Delivery | The card is | The product is used for | Card activation is a | All customers would need to activate the card prior to |
| intercepted on | fraud and / or money | separate step that has to | use. During the activation, personal information will be | ||
| route to the | laundering purposes | be done by the customer | asked and checked against internal records. | ||
| address provided | A lack of or out of date | ||||
| during the on | AML / KYC / fraud | ||||
| boarding stage | procedures leads to a | ||||
| breach of legislative | |||||
| requirements resulting in | |||||
| regulatory censure or | |||||
| legal action | |||||
| AML/R24 | Programme | PM doesn’t have enough | No one is looking at | Company holds a | We keep a adequate staff pipeline in order to manage the |
| Management | resources to manage the | financial crime risk so | substantional reserves in | product should the amount of resources required increase | |
| product | there is a large financial, | order to allocate trained | drastically. | ||
| reputational and legal | compliance officers in a | ||||
| risk to the business due | timely manner. | ||||
| to the likelihood of this | |||||
| customer being involved | |||||
| in financial crime. | |||||
| A lack of or out of date | |||||
| AML / KYC / fraud | |||||
| procedures leads to a | |||||
| breach of legislative | |||||
| requirements resulting in | |||||
| regulatory censure or | |||||
| legal action | |||||
| AML/R25 | Financial | Anti-Money | Through lack of | All the compliance | All compliance officers undergo rigorous backgrounds |
| Crime | Laundering / | knowledge of procedures | officers must be | checks and must obtain an internationally recognised | |
| Training | Financial Crime | and legal requirements, | certified by an | certificate in order to manage the programme’s AML | |
| training is not or is | staff act on client | internationally | obligations. | ||
| inadequately | instructions without | recognised AML | |||
| provided. | undertaking basic AML | training institution. | |||
| checks. This leads to | (e.g ICA) | ||||
| unrecognised money | |||||
| laundering, resulting in | |||||
| criminal action including | |||||
| both financial penalty | |||||
| and custodial | |||||
| sentencing. | |||||
| Furthermore, there are | |||||
| potential reputational | |||||
| issues due to a lack of | |||||
| staff knowledge and the | |||||
| likelihood of being the | |||||
| victim of financial crime | |||||
| AML/R26 | Record | PM does not keep | PM and Issuer in breach | All the cardholder activity is | Customer information is being stored on a remote, |
| keeping | adequate records | of record keeping | logged and securely stored | IP-restricted server and being encrypted by a | |
| requirements and unable | in an encrypted form in | bank-grade encryption (AES-256). | |||
| to investigate and | order meet PM’s | All databased connections are secured via SSL/TLS | |||
| suspicion of fraud or | recordkeeping | All the transaction are backed up in order to meet the | |||
| financial crime properly | requirements. | record-keeping requirements should the production | |||
| database fail. | |||||