FCA and PRA licenses (authorisations) and ongoing compliance support, training, recruitment. Contact us 7 days a week, 8am-11pm. Free consultations. Phone / Whatsapp: +4478 3368 4449  Email: hirett.co.uk@gmail.com

1 FINANCIAL CRIME RISK ASSESSMENT

Goal:

  • To apply Customer Due Diligence (CDD) measures (to identify/verify customers and to understand the nature and purpose of the proposed relationship);
  • To maintain appropriate systems and controls for AML/CTF purposes;
  • To monitor customer transactions and activities;
  • To report suspicious activity, both internally and, if appropriate, externally;
  • To keep appropriate records, and train staff;
  • To comply with the UK financial sanctions regime.

Useful resources:

  • Proceeds of Crime Act 2002 (as amended)
  • Terrorism Act 2000, and the Anti-terrorism,
  • Crime and Security Act 2001
  • Counter-Terrorism Act 2008, Schedule 7 Financial sanctions
  • Money Laundering Regulations 2017,
  • FCA regulated firms – the FCA Handbook
Risk ID Process What is the potential What would result if this What process do we How will this be done? Who by and what will they be
title or risk? occurred? have in place to control looking for?
description the risk?
AML/R1 CDD — The customers are not The PM does not know their SDD accounts have a SDD accounts are clearly marked within the system and
Onboarding who they say they are, customer. lifetime relationship limit SDD limits are enforced on such accounts.
for SDD the customer is not and are subject to
identified properly A lack of or out of date AML / enhanced ongoing
KYC / fraud procedures leads monitoring.
to a breach of legislative
requirements resulting in
regulatory censure or legal
action
AML/R2 CDD — The customer provides The PM does not know their As part of the verification When a client reaches a certain account threshold, a check
Verification incorrect address customer. process, we check is automatically run and is reviewed by compliance
for EDD information customer’s address against specialist. A certified third-party provider is used to access
A lack of or out of date AML / various databases from databases to run background checks.
KYC / fraud procedures leads industry’s leading
to a breach of legislative information provider — Account thresholds are the following:
requirements resulting in LexisNexis Bridger SDD account threshold: annual transaction volume up to
regulatory censure or legal
action 1000EUR
EDD account threshold: annual transaction volume up to
15.000EUR
EDD + source of funds threshold: annual transaction
volume more than 15.000EUR
AML/R3 CDD — The customer provides The PM does not know their We run image manipulation As soon as we receive documents from the customer, we
Verification fraudulent/altered customer. tests on all documents that run a check if documents were altered or amended using the
for EDD documents are received from the following algorithms:
A lack of or out of date AML / customer.
KYC / fraud procedures leads Signature Analysis
to a breach of legislative Thumbnail Analysis
requirements resulting in Error Level Analysis
regulatory censure or legal JPEG Ghosts
action Block Artifact Grid
Stamp
AML/R4 Internal risks PM is unable to verify The PM does not have The user would not be able Such accounts are reviewed by trained compliance
— Verification customer the skills, experience or to access the majority of specialist, extra background checks will be completed
for EDD means to identify and services and would have
verify the customer SDD limits enforced on
A lack of or out of date their accounts.
AML / KYC / fraud
procedures leads to a
breach of legislative
requirements resulting in
regulatory censure or
legal action
AML/R5 CDD — Ongoing monitoring of Failure to identify and Real-time monitoring, The essentials of system of monitoring are:
Ongoing Customer relationship report suspected money where transactions
monitoring laundering. and/or activities can it flags up transactions and/or activities for further
Failure to keep customer be reviewed as they examination with an appropriate RiskID
data up to date take place or are these reports are reviewed with 24 hours by the
throughout the customer about to take place designated compliance officer
relationship. After the event, appropriate action is taken on the findings of any
Failure to appropriately through some further examination (account suspension, senior
react to risk-based independent review management notification, risk-profile change)
triggers of the transactions
and/or activities that
a customer has
undertaken
AML/R5-1 CDD — Ongoing monitoring of Changes in a customer’s Real-time monitoring, The essentials of system of monitoring are:
Ongoing Customer relationship circumstances are not where transactions
monitoring monitored. and/or activities can it flags up transactions and/or activities for further
Failure to identify a be reviewed as they examination based on the account historical
dormant account take place or are transaction volume
reactivation and about to take place all users are obliged to verify the device used for
unauthorised use. account access using device fingerprinting technology
upon reactivation of dormant accounts extra checks
are being carried out, including enhanced transaction
monitoring and lower velocity limits
AML/R6 CDD — Customers are accepted Potential breach of We do not onboard clients In order to get the full use of the account, customer must
Onboarding from a jurisdiction which permission from high-risk jurisdictions successfully pass the account verification procedures.
for SDD has not been approved A lack of or out of date
for the product AML / KYC / fraud Countries List.xlsx Proof of Address documents from high-risk countries
procedures leads to a are not accepted.
breach of legislative We limit an access from high-risk jurisdictions based
requirements resulting in on the IP/location data.
regulatory censure or
legal action.
AML/R7 CDD The customer is a The business do not We run a check against Enhaced due diligence is applied to such customers
—Screening Politically Exposed identify where EDD several databases to verify Senior management approval in necessary in order to
Person (PEP) should be completed. if the client is a PEP interact with such person.
There is no process for PEP customers are also subject to enhanced ongoing
dealing with a PEP monitoring of the business relation.
should they be identified Source of wealth and source of funds which are
A lack of or out of date involved in the business relationship or occasional
AML / KYC / fraud transaction are verified with reference to documents;
procedures leads to a
breach of legislative
requirements resulting in
regulatory censure or
legal action
AML/R8 CDD — The customer appears on Having a customer who Prior to onboarding a If a customer appears on the sanction list, it would not be
Screening one or more of the is on a sanctions list is in client, we check customer possible to set up an account with us or to use any services.
following Sanctions lists: breach of the terrorist against sanction lists
financing legislation. Customer’s account would get blocked by MLRO and senior
HMT List A lack of or out of date management would be notified.
OFAC List AML / KYC / fraud
EU Consolidated procedures leads to a
List breach of legislative
requirements resulting in
regulatory censure or
legal action
Sanctions An existing customer The business do not Ongoing screening of If a customer appears on the sanction list, all funds will be
Ongoing becomes a sanctioned identify where EDD existing customers against frozen and a report will be sent out to the HM Treasury and
Screening individual during the should be completed. sanction lists NCA for further course of actions
course of the
AML/R9 relationship. The risk in dealing with
someone on the
HMT List sanctions list is that we
OFAC List are in breach of the
EU Consolidated terrorist financing
List legislation.
A lack of or out of date
AML / KYC / fraud
procedures leads to a
breach of legislative
requirements resulting in
regulatory censure or
legal action
AML/R10 Sanctions The PM does not have A potential sanctions Possible sanction list Our system will highlight any possible matches and all
screening an effective process to match is identified but matches are filtered for a cases will be reviewed by trained compliance officer.
analysis analyse fuzzy matches. not qualified or review Additional documentation will be requested before the
eliminated. customer gets onboarded to make sure that it is a
The risk in dealing with false-positive match.
someone on the
sanctions list is that we
are in breach of the
terrorist financing
legislation.
A lack of or out of date
AML / KYC / fraud
procedures leads to a
breach of legislative
requirements resulting in
regulatory censure or
legal action
AML/R11 CDD — The card is obtained by The card has been Card activation is a All of our customers would need to activate the card
Fraud someone other than the obtained fraudulently. separate step that has to prior to use,
customer A lack of or out of date be done by the customer During the activation, personal information will be
AML / KYC / fraud asked and checked against our internal records.
procedures leads to a
breach of legislative
requirements resulting in
regulatory censure or
legal action
AML/R12 CDD Multiple cards are The card has been Automated address If the card order has the same delivery address as the other
—Onboarding provided to the same obtained fraudulently. monitoring user already has, an application will be put on hold and sent
person (e.g. using A lack of or out of date for a review by a compliance officer.
different names but living AML / KYC / fraud
at the same address) procedures leads to a
breach of legislative
requirements resulting in
regulatory censure or
legal action
AML/R13 Product The customer has access Increased exposure to Card limits are signed off In order to have increased card limits, the customer
Construct to higher limits than financial crime and / or by BIN sponsor and would have to fully verify the account.
required fraud activity related to enforced by Processor Unverified customers do not have an access to higher
money laundering rules. limits
A lack of or out of date
AML / KYC / fraud
procedures leads to a
breach of legislative
requirements resulting in
regulatory censure or
legal action
AML/R14 Product The customer has access Increased exposure to Wallet/velocity parameters An access to higher limits is given only to the fully
Construct to purse parameters / financial crime and / or are signed off by BIN verified accounts, based on the decision of a
velocity limits which are fraud activity related to sponsor and enforced by compliance officer and subject to all the necessary
not required money laundering Processor rules. checks being carried out.
A lack of or out of date There is no option for an automatic increase of the
AML / KYC / fraud limits.
procedures leads to a
breach of legislative
requirements resulting in
regulatory censure or
legal action
AML/R15 Receiving Funds are received from Money is received from Third-party account top ups Third-party deposits into the account are prohibited and
Funds a third party an unverified 3rd party are prohibited and get would get refunded back to the sender.
which is then laundered refunded back to the payer.
A lack of or out of date
AML / KYC / fraud
procedures leads to a
breach of legislative
requirements resulting in
regulatory censure or
legal action
AML/R16 Receiving We do not understand Money is received from Corporate accounts have Card loads are limited to corporate loads only, with all the
Funds the Source of funds an unverified 3rd party to pass EDD in order to be corporate accounts being fully EDD.
routinely loaded to the which is then laundered able to top up the PM
card A lack of or out of date prefunding account.
AML / KYC / fraud
procedures leads to a
breach of legislative
requirements resulting in
regulatory censure or
legal action
AML/R17 Initial Account The source of the initial Increased exposure to Unusually high load would Whenever customer is making an unusually high load, such
Loading load is unknown and / or financial crime and / or flag the account. account does get flagged and then reviewed by the trained
unusually high fraud activity related to compliance specialist. A source of funds confirmation would
money laundering be obtained.
A lack of or out of date
AML / KYC / fraud
procedures leads to a
breach of legislative
requirements resulting in
regulatory censure or
legal action
AML/R18 Transaction PM does not The product is used for Automated transaction We use the automated transaction monitoring system which
Monitoring identify any fraud and / or money monitoring uses a variety of techniques to detect any
unusual or laundering purposes unusual/suspicious activity. Based on third party provider
suspicious activity A lack of or out of date (GPS protect) we screen each transaction against more than
on the cardholder’s AML / KYC / fraud 200 rules and approve/reject it in real time.
account procedures leads to a
breach of legislative
requirements resulting in
regulatory censure or
legal action
AML/R19 Reporting Knowledge or A lack of or out of date Training and reporting All members of the staff undergo training and must
Suspicion suspicion of AML / KYC / fraud report any suspicious activity to the compliance officer.
Account financial crime is procedures leads to a If necessary further reports are sent to NCA.
activity identified but not breach of legislative Reports are generated automatically and are reviewed
reported requirements resulting in by the MLRO to make sure the submission is done on
regulatory censure or time.
legal action
AML/R20 Tipping Off Cardholder is A lack of or out of date Training All members of staff are aware that
notified that a SAR AML / KYC / fraud disclosing an information regarding internal or external
has been submitted procedures leads to a report has been made is a criminal offence.
(‘Tipping Off’) breach of legislative
requirements resulting in
regulatory censure or
legal action
AML/R21 Fraud Unauthorised Increased exposure to Extensive security Our system analyses client information during the log
Management persons attempt to financial crime and / or measures in process, device fingerprint, IP address and location
access a fraud activity related to are checked against our records.
customers account money laundering Customers are notified about the importance of use of
A lack of or out of date 2FA authentication in order to prevent unauthorised
AML / KYC / fraud access to the account
procedures leads to a
breach of legislative
requirements resulting in
regulatory censure or
legal action
AML/R22 Lost & Stolen The customer loses their A lack of or out of date Automated transaction We use the automated transaction monitoring system
cards card and it is used by AML / KYC / fraud monitoring which uses a variety of techniques to detect any
somebody else procedures leads to a unusual/suspicious activity and to block such cards in
breach of legislative case of the theft.
requirements resulting in There is an option to block the card via the web
regulatory censure or interface or on a mobile app.
legal action 24/7 IVR line is available in case customer doesn’t
have an access to the internet.
AML/R23 Card Delivery The card is The product is used for Card activation is a All customers would need to activate the card prior to
intercepted on fraud and / or money separate step that has to use. During the activation, personal information will be
route to the laundering purposes be done by the customer asked and checked against internal records.
address provided A lack of or out of date
during the on AML / KYC / fraud
boarding stage procedures leads to a
breach of legislative
requirements resulting in
regulatory censure or
legal action
AML/R24 Programme PM doesn’t have enough No one is looking at Company holds a We keep a adequate staff pipeline in order to manage the
Management resources to manage the financial crime risk so substantional reserves in product should the amount of resources required increase
product there is a large financial, order to allocate trained drastically.
reputational and legal compliance officers in a
risk to the business due timely manner.
to the likelihood of this
customer being involved
in financial crime.
A lack of or out of date
AML / KYC / fraud
procedures leads to a
breach of legislative
requirements resulting in
regulatory censure or
legal action
AML/R25 Financial Anti-Money Through lack of All the compliance All compliance officers undergo rigorous backgrounds
Crime Laundering / knowledge of procedures officers must be checks and must obtain an internationally recognised
Training Financial Crime and legal requirements, certified by an certificate in order to manage the programme’s AML
training is not or is staff act on client internationally obligations.
inadequately instructions without recognised AML
provided. undertaking basic AML training institution.
checks. This leads to (e.g ICA)
unrecognised money
laundering, resulting in
criminal action including
both financial penalty
and custodial
sentencing.
Furthermore, there are
potential reputational
issues due to a lack of
staff knowledge and the
likelihood of being the
victim of financial crime
AML/R26 Record PM does not keep PM and Issuer in breach All the cardholder activity is Customer information is being stored on a remote,
keeping adequate records of record keeping logged and securely stored IP-restricted server and being encrypted by a
requirements and unable in an encrypted form in bank-grade encryption (AES-256).
to investigate and order meet PM’s All databased connections are secured via SSL/TLS
suspicion of fraud or recordkeeping All the transaction are backed up in order to meet the
financial crime properly requirements. record-keeping requirements should the production
database fail.