Firm Name: Hirett Ltd
Date: 20 June 2020
Assessment of the adequacy of the mitigation measures and control mechanisms implemented in response to those risks
Description of security measures to mitigate security and operational risks identified as a result of the above assessment
Hirett Ltd takes seriously the threat of disaster, including loss of access to premises or systems or other circumstances that could impact our ability to service clients. Our risks and disaster recovery policy for each prime scenario is documented below and is designed to mitigate key risks to continuity of client service. Our relatively small size makes us able to adapt very rapidly to changing situations to ensure continuity of customer service.
Loss of access to server/data
The company maintains a backup record of client records for use in emergencies if the main server is unavailable. Management believe that a short term of access to data therefore is not critical. A long-term loss of access to data would require us to recover our full data set for backup on to new servers.
Loss of access to premises
In the event of a loss of access to our premises then our staff will work from home until further notice and will be able to serve our customer on an interim basis from there.
Loss of key personnel
We cross train key members of staff in each other’s role.
The risks to the financial sector primarily involve being used to facilitate money laundering, whether knowingly or unwittingly. That risk is increased if the money launderer can hide behind corporate structures such as limited companies, offshore trusts and nominee arrangements. It is the role of the firm’s MLRO, __________, to ensure staff are well educated, have access to training material and are regularly tested. Hirett Ltd shall deploy certain AML training to its compliance partner, Hirett Ltd, on a periodic basis. Management have the ultimate responsibility for AML/CTF process and need to understand the ML risks. All staff are expected to take ownership and assist the MLRO in the establishment and maintenance of effective anti-money laundering systems and controls.
We use a bespoke IT system, that provides secure access, breach prevention, data analysis, logging and reporting in section. The system validates the identity documentation, and if it is not valid or is expired, the transaction will be immediately rejected. We consider all our systems critically important at the highest level.
Our staff need access to customer data in order perform their jobs and duties, but this is limited to our staff having only ‘relevant access’. By this we mean that staff should not be able to access information that they do not require to perform their roles.
Management is tasked to conduct random and periodic checks to ensure that staff are accessing only relevant information and customer data.
Management will conduct security checks and consider things such as:
- disabling USB ports/Drives, CD ports on computers if staff do not need them to do their jobs -clearing records/information when issuing laptops to new staff
- staff to change passwords on a monthly basis
- ensuring staff do not exchange passwords with colleagues
- ensuring staff do not write down passwords
- check which staff take computers home
- have a system in place to manage stolen computers
- data encryption
For some information the risks of failure to provide adequate security may be so high that it should never be taken home. This might include payroll information, addresses of customers and staff, disciplinary or appraisal records or bank account details. Exceptions to this may only be with the explicit agreement of the principal.
Full backups of all Hirett Ltd data are performed weekly and is stored on remote secure servers (in the “cloud”). Full backups are retained for 3 months before being overwritten. Incremental backups of all Hirett Ltd data are performed daily. Incremental backups are retained for 1 month before being overwritten. Where possible backups are run overnight and are completed before 8am on working days. Upon completion of backups, media copies are moved automatically to a secure remote site for disaster recovery purposes. Backups are stored in secure locations. A limited number of authorised personnel have access to the backup application and media copies. Requests for backup data from 3rd parties must be approved by Mr. __________.
All staff are responsible for ensuring that: Any personal data which they hold is kept securely. Personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party.
Staff should note that unauthorised disclosure and/or failure to adhere to the requirements set out in 5.3 to 5.7 inclusive below will usually be a disciplinary matter, and may be considered gross misconduct in some
Personal information should be; kept in a locked filing cabinet; or in a locked drawer; or if it is computerised, be password protected; or when kept or in transit on portable media the files themselves must be password protected.
Personal data should never be stored at staff members’ homes, whether in manual or electronic form, on laptop computers or other personal portable devices or at other remote sites,
Ordinarily, personal data should not be processed at staff members’ homes, whether in manual or electronic form, on laptop computers or other personal portable devices or at other remote sites. In cases where such off-site processing is felt to be necessary or appropriate, the agreement of the relevant Data Controller must be obtained, and all the security guidelines given in this document must still be followed.
Data stored on portable electronic devices or removable media is the responsibility of the individual member of staff who operates the equipment. It is the responsibility of this individual to ensure that:
- Suitable backups of the data exist
- Sensitive data is appropriately encrypted
- Sensitive data is not copied onto portable storage devices without first consulting a Data Controller, in regard to appropriate encryption and protection measures
- Electronic devices such as laptops, mobile devices and computer media (USB devices, CD’s etc.) that contain sensitive data and not left unattended when offsite
For some information the risks of failure to provide adequate security may be so high that it should never be taken home. This might include payroll information, addresses of customers and staff, disciplinary or appraisal records or bank account details. Exceptions to this may only be with the explicit agreement of the Principal.
Data Protection and Data Security
The Company takes seriously its responsibility for Data Protection, Confidentiality and Security. No staff member will take with them from the company premises, in soft or hard copy, details of clients, policy information or any other data that may be perceived as confidential. Access to our systems and data are accessed by each individual using their own login and passwords. Our staff will not, under any circumstances, share their system login details with each other or any 3rd party, internal or external. All client documentation which is not required or used will be suitably shredded and disposed.
Remitter and Customer Due Diligence
Hirett Ltd applies measures based on a risk-sensitive basis, identifying situations which can present a (higher than usual) risk of money laundering or terrorist financing. As part of this, under our risk-based approach, if our standard method for evidence of identity is insufficient in relation to the money laundering or terrorist financing risk, we can obtain additional information about that particular remitter.
Hirett Ltd use a service provider (i.e. Credit Safe) to check client’s details and ensure that all information provided coincides with details provided by the client. Any inconsistencies must be raised to the MLRO through an internal SAR (see company SAR process). If staff suspect fake or fraudulent ID has been presented, they must not disclose or discuss their concerns with anyone else, including the presenter of the ID as this may count as “tipping off” which is a severally punishable offense.
As a part of the risk-based approach, we hold sufficient information about the circumstances and business of the remitter for two reasons:
- To manage money laundering/terrorist financing risks effectively
- Provide a basis for monitoring remitter activity and transactions, thus detecting the use of our services for money laundering and terrorist financing
The extent of additional information needed i.e. the need for extra identification and of any monitoring carried out in respect of any particular client or class/category of client, will depend on the money laundering or terrorist financing risk that the client, or class/category of client, is assessed to present.
Conclusions of the results of the risk assessment and summary of actions required as a result of this assessment
The methodology used to assess effectiveness and adequacy of mitigation measures and control mechanisms is based on FCA and EBA guidelines, recommendations from published analyses of previous cases, our own experience and the experience of other firms in our industry.
Our assessment of the current adequacy and effectiveness of mitigation measures and control mechanisms is satisfactory. We intend to continue to apply the best practices and stay on top of the latest developments related to risks and security in our industry.
In terms of security risks, the measures taken by us, are adequate in preventing, reporting and predicting any security breaches or risk of fraud or money-laundering. At this time, no deficiencies have been identified and we don’t require corrective actions.