Breaking with Tradition: Rethinking Financial Crime Policy Management

Written by Alan Entwistle on Friday March 23, 2018

In the wake of the Criminal Finances Act 2017, what is the future of financial crime policy management?

Within the realm of financial crime policy management, there is an established and traditional approach to responding to legislative evolutions. As required by regulations, the first and fundamental step is the establishment and maintenance of policies, controls and procedures to mitigate and manage risk (UK Money Laundering Regulations 2017). In line with this, the vast majority of firms will have put policies in place covering the following financial crime disciplines:

• anti money laundering and counter financing of terrorism;
• sanctions;
• anti-bribery and corruption, and;
• fraud prevention.

Some firms may cast the financial crime net a little wider and include a policy discipline for market abuse. Whatever the scope of the department, the characteristics of the policies created in response to legislation will be similar across industry. Each policy will:

• focus on a singular discipline;
• ensure alignment to relevant regulatory and legislative requirements, and;
• push control and compliance requirements out into the front office.

This approach of responding to legislative change through creating new policies works. However, this discipline-centric approach to policy management is not absent of challenges. Recently, such a challenge was presented by the Criminal Finances Act 2017 which introduced the new corporate criminal offence of ‘failure to prevent the facilitation of tax evasion’ (the CCO), and a requirement for firms to evidence ‘reasonable prevention procedures’.

The traditional approach in response to the CCO would necessitate the introduction of a new standalone policy discipline with an appropriately pithy acronym for the supporting policy document – perhaps the FTPFTE Policy. However, this continuous creation of new policies presents sustainability challenges through:

• creating another singular and siloed discipline;
• requiring further resource to manage the freshly created procedures, and;
• increasing the control and compliance overheads pushed into the front office.

Adhering to the traditional model will inevitably create a perpetually swelling tome of internal compliance documents and requirements. However, perhaps unintentionally, the creation of the CCO points to a simpler model which moves away from discipline-centricity. A model which is rooted within the customer journey and has the potential to unite existing disciplines in common cause.

Responding to the CCO

Prior to creating a new standalone policy discipline for the CCO, one should consider the attributes of the offence and the defence of ‘reasonable prevention procedures’ in the context of a firm’s existing financial crime policy suite, and wider risk disciplines.

The offence of facilitating tax evasion is, at its core, a dishonest and fraudulent act perpetrated by an associated person of the firm. This relationship of facilitation to the established discipline fraud highlights one of many dependencies an ‘anti-facilitation’ control framework will have upon existing policies and their associated control and compliance requirements. Where a firm has a fraud prevention policy, with specific requirements regarding internal fraud risks, that firm has a piece of the ‘anti-facilitation’ jigsaw to hand.

Following this logic, firms can start to piece together further financial crime policy requirements which contribute to the anti-facilitation control environment, for example:

• supplier risk assessments required as part of an anti-bribery policy
• suspicious activity reporting required through an AML/CTF policy
• fraud prevention training and awareness materials.

To ensure a full picture of anti-facilitation controls is attained, a firm will need to look beyond financial crime policies to understand and leverage wider controls, such as:

• tax transparency controls (e.g. CRS/FATCA) which may be captured in a centralised tax policy
• colleague vetting controls – potentially housed in a human resources department
• product risk management processes – if centrally controlled and overseen
• an anonymous internal whistle-blowing service
• operational controls requiring the segregation of back office operational execution for key processes.

This is not to say these controls and compliance requirements will immediately align to an anti-facilitation agenda. Some, such as training materials, will need to be enhanced so that they better reflect the desired messaging. However, in following this process firms can begin to piece together a network of pre-existing controls which can be enhanced and aligned to evidence the reasonableness of its anti-facilitation control network.

Such a networked approach negates the requirement to document a singular ‘policy’ as per the traditional model outlined above. Rather than a policy, a firm needs a map which can be produced to document, evidence and monitor the dependencies in place. Therefore, one must ask how best to draw that map so that the firm, colleagues and the regulator can clearly follow it.

Journey-Based Policy Management

Combatting financial crime can be (overly) simplified into four categories of institutional activity.

• Governance – Setting a framework of accountability and responsibility for the evaluation and management of financial crime risk across the firm.
• Prevention (P) – Ensuring financial crime threats are identified and associated risks are mitigated through the deployment and maintenance of effective systems, controls, processes and procedures, prior to establishing a relationship and during the lifecycle of that relationship.
• Detection (D) – Ensuring financial crime events are effectively identified and managed through the deployment and maintenance of effective systems, controls and processes, during the lifecycle of that relationship.
• Response (R) – Ensuring appropriate and proportionate group-wide response plans are in place, thereby enabling business units to comprehensively react to financial crime events.

The final three categories of activity comfortably align to a simple customer journey:

Applying this model to the CCO enables a firm to document how facilitation risks may materialise through colleague/customer interactions through each journey stage. For example:

1. The risk of fraudulent information being used in an attempt to establish a new account relationship.
2. The risk of customer data being manipulated to prevent regulatory/transparency reporting requirements.
3. The risk of colleagues being insufficiently aware of their obligations to report misconduct relating to facilitation scenarios.

Once such risks are captured, all of the controls across the network (including those which extend beyond the immediate financial crime environment) can be categorised into those which aide the firm’s prevention, detection and response to facilitation risks. Through this process a firm will create its map of controls for ongoing monitoring.

Wider implications

The principles of Journey-Based Policy Management provide a foundation for a re-evaluation of traditional financial crime policy frameworks. As noted, current frameworks within firms will likely contain various siloed and discipline-based policies. Certainly, regulatory and legislative language implies a pluralistic approach to policy creation and management. However,  in applying the Journey-Based model, a firm could seek to rationalise multiple discipline-centric policies into one holistic economic crime policy (ECP) which outlines the fundamentals of governing, preventing, detecting, and responding to economic crime risks across the customer journey. Such a revised approach would benefit front line teams by removing duplicative control and compliance requirements and leveraging cross-firm controls where appropriate. An ECP would encourage consideration of how risk disciplines interrelate and affect the firm, but also the network of interdependent controls which are aligned to managing economic crime.

The CCO challenges the traditional policy response to legislative developments. These challenges highlight how firms can begin to transition away from a siloed discipline-centric policy model, to a more unified and customer conscious policy. Fundamentally, Journey-Based Policy Management could enable a firm to clearly evidence how policy requirements are distinctly aligned to protecting the integrity of the customer journey.

This piece was written for ICA by Alan Entwistle, guest contributor to the #BigCompConvo

-

Alan has worked in numerous financial crime policy roles through a 10 year career in the industry, covering the disciplines of Fraud Prevention, Sanctions and Anti-Money Laundering. More recently he was responsible for leading the design and implementation of Lloyd’s Banking Group’s response to the new Corporate Criminal Offence of Failure to Prevent the Facilitation of Tax Evasion. Having previously completed the ICA Diploma in Financial Crime Prevention, he is now studying for his second ICA Diploma in Anti-Money Laundering.

If you would like to take part in the ICA’s Big Compliance Conversation and contribute to a like-minded community, please get in touch at contributions@int-comp.org