Develop and implement a financial crime risk and control assessment framework

This standard is about developing and implementing a financial crime risk and control assessment framework. You must develop and implement a framework to assess the risks from financial crime to your organisation and the controls that can be applied to manage and mitigate these. You must take into consideration the internal and external risks of financial crime occurring and the consequent impact that financial crime would have on your organisation, together with the likelihood of its recurrence. This standard is relevant to roles in countering financial crime.

1. identify business nature, scale, complexity and operating environment
2. identify the threats to the organisation and vulnerabilities
3. assess the probability of the risk materialising and the impact when it does
4. identify the senior management’s tolerance to the risks identified
5. implement systems and controls to manage and mitigate those threats and vulnerabilities
6. document key risk indicators to identify when systems and controls have been breached/compromised
7. monitor and measure the effectiveness of the systems and controls
8. identify improvements to be made to strengthen the effectiveness of the systems and controls
9. document clearly the risk framework in line with organisational requirements
10. develop an ongoing review process to the assessment framework
11. ensure flexibility within the assessment framework to accommodate the evolution of operating environment including trigger events
12. confirm countering financial crime is a standing agenda item at appropriate oversight committee meetings
13. provide regular relevant management information to those committees informing appropriate persons of the organisation’s exposure to financial crime risk
14. track actions arising from those committees and follow appropriate escalation procedures

1. your organisation’s strategy and approach towards countering financial crime and how it is communicated
2. information on your organisation’s policies and procedures required to enable you to make an accurate assessment of financial crime risks
3. how to identify emerging/new risks and assess their potential impact on your organisation and customers and how this can be used to design appropriate mitigating systems and controls
4. how to conduct root cause analysis in respect of crystallised risks
5. the importance of using external intelligence commentary and assessments
6. nature, scale and complexity and the operating environment of your organisation
7. information required to make an informed risk and control assessment
8. appropriate tools, methods and techniques available to carry out a risk and control assessment
9. how to identify and document the risks of financial crime to your organisation
10. how to develop key risk indicators to assist in assessing the impact of financial crime on the organisation
11. tools and resources available to manage financial crime risks
12. how the framework for combating financial crime risk sits within the overall architecture of the organisation’s risk management framework
13. departmental inter-dependencies
14. the importance of horizon scanning and its implications to the organisation
15. the importance of countering financial crime being a standing agenda item at committee meetings
16. why it is important to monitor and assess any actions arising from committee meetings
17. how to influence committees effectively
18. what are the key drivers for countering financial crime
19. the escalation process for failed or untimely activity
20. past risk events and any lessons learnt
21. the legislation, regulations and codes of practice, relevant to you and your organisation and any specific obligations

"Financial Crime
This includes any office involving money laundering, terrorist financing, fraud
or dishonest or market abuse. (Definition based on the FCA definition of
financial crime). This includes financial crime both internal and external to a
financial services organisation.
Legal and regulatory requirements
This refers to a range of obligations incumbent upon financial organisations
and is commonly referred to as ‘compliance requirements. The legal and
regulatory requirements of an organisations or individual/s within it (such as
‘approved persons) may differ slightly according to the type of financial
organisation and the services it offers. The regulator of all providers of
financial services in the UK oversees a number of regulated activities under
powers derived from the Financial Services and Markets Act 2000.
A number of other pieces of UK legislation are relevant to the countering of
financial crime, such as the Proceeds of Crime Act (POCA), the Serious
Organised Crime and Police Act (SOCPA, the Fraud Act 2006, for example.
UK financial institutions are also subject to European Commission legislation
enacted by the British Government such as the Market Abuse Directive and
the Basel 2 Accord (for capital adequacy).
Financial organisations, like any other employer, are also subject to a range of
legal requirements covering areas such as discrimination, equality and
diversity, Health and safety and Data protection.
Organisation
This refers to an organisation that offers financial services this could be
insurance, investment, lending and credit, pensions, securities and
derivatives. It includes organisations in both the public and private sector.
Systems and controls
The practices and procedures put in place to protect an organisation from
financial crime. In some cases it is accepted that certain (or indeed all) types
of financial crime cannot be wholly prevented, but controls can limit its extend
and impact."