Financial Crime Newsletter An update from the
Financial Crime Sector Team
Issue No.11 – May 2008
Introduction by the regulators’ approach and the importance
of public-private sector dialogue in the
AML/counter-terrorist finance (CTF) arena.
Welcome to the 11th This partnership approach, championed in
edition of the FSA’s the UK, has demonstrable resonance for
financial crime newsletter. other jurisdictions.
We want it to keep you
At last year’s Financial Crime Sector
up to date with our
conference, we announced the new
financial crime work, and other key issues
Financial Crime and Intelligence Division.
related to financial crime.
This year’s conference gave us a chance
We hosted our annual Financial Crime to reflect on some of the division’s early
Sector conference at Old Billingsgate, work. This included the thematic work
central London, last month. Thank you to from the new Financial Crime Operations
everyone who attended and participated team, we discuss in more detail below.
in what was a highly informative and
Information security appeared regularly in
successful day. I am particularly grateful to
the national press at the end of 2007, which
the many distinguished speakers who gave
highlighted the importance to all types of
their time to support our ongoing work to
organisation of keeping customers’ data
tackle financial crime. These included Rt
secure. On 24 April, we released the results
Hon Jane Kennedy MP; Richard Thomas,
of our major piece of thematic work on
the Information Commissioner;
data security in financial services firms. Poor
Commissioner Mike Bowron, City of
information security standards represent a
London Police; Paul Newham, National
serious, widespread and high impact risk
Terrorist Financing Unit; and Sandra
to our statutory objective of reducing the
Quinn, National Fraud Strategic Authority.
extent to which it is possible for a business
The conference also had an international
to be used for purposes connected with
dimension, with presentations from
financial crime, and we will continue to
Jonathan Polk, Vice President of Bank
work with firms to address these issues.
Supervision at the NY Fed, and Rick
For more information on our findings
Small of the Financial Action Task Force.
please see the articles on page 2 and 3.
Our CEO, Hector Sants, opened the
On 14 March, we also published the
conference by reiterating the importance
results of our thematic work on how firms
of keeping up our focus on financial
have implemented a risk-based approach
crime despite the recent turbulent market
to AML. We have seen many examples
conditions. This follows the commitment
of good practice in both small and large
we made in our 2008/09 Business Plan to
firms, especially in the way that larger
maintain our increased level of financial
firms have embraced the risk-based
crime resources. His speech is available
approach. We recognise that smaller
on our website (www.fsa.gov.uk).
firms represent lower risk and have fewer
At our conference we heard from our two resources; however, some showed clear
American speakers about the international room for improvement, especially in staff
dimension in anti-money laundering (AML), training and ongoing risk assessment. For
especially the importance of understanding more details, see pages 3 and 4.
This is not FSA guidance Page N 1
The Joint Money Laundering Steering Group
(JMLSG) is an excellent example of how a
partnership approach to tackling financial crime
can work. Its guidance is written by the industry
and approved by the Treasury to give firms Philip Robinson – Director
practical help in meeting their AML/CTF Financial Crime and Intelligence Division
obligations. I would like to congratulate Jonathan
Taylor on his appointment as the new Chairman of
the JMLSG, and wish him success in his new role. Poor data security a widespread
Another example of where partnership can bring and serious problem
benefits is by sharing information. APACS, the UK
One of the major projects the Financial Crime and
payment association, regularly produces statistics
Intelligence Division undertook in 2007 was a
on card fraud which can help firms assess their
review of how firms safeguard their customers’
fraud risks. An article on their most recent data
can be found on page 4.
Data security is relevant to financial crime because
Developing statistical evidence of trends in
personal data (address, date of birth, national
financial crime is one of the greatest challenges
insurance number, earnings, account details and
that regulators, law enforcement and firms face in
so on) is a valuable black-market commodity.
trying to tackle the problem. There is no generally-
Criminals buy and sell it in bulk to commit
accepted methodology that would enable us to
identity theft and related crimes such as account
measure the scale of financial crime or the social
takeover and mortgage fraud.
harm caused as a result of financial crime, or to
compare the severity of different types of financial We published our findings on our website on 24
crime. This makes it harder for us to allocate April. The alarming conclusion is that poor data
our financial crime resources in a risk-based, security is a serious and widespread problem in
proportionate way. Our scale and impact project the financial services industry.
aims to address this issue. For an update on its
progress, see pages 4 and 5. Firms are generally aware of the need to safeguard
personal data. They are beginning to understand
We’ve also included a series of brief news updates more about the risk of data loss and are making
on the Financial Action Task Force, our financial efforts to address it. However, there is a wide
crime perceptions survey, recent enforcement gulf between the good practice demonstrated by
action against mortgage fraud, some bogus FSA some firms committed to data security, and the
communications, and new members of our weaknesses seen in firms that do not understand
Financial Crime Sector team on pages 5 and 6. the extent of the risk, and have not considered
One of the team’s responsibilities is to coordinate appropriate controls. Smaller firms in particular
how we communicate with our financial crime are not meeting the standard we expect.
partners. We are always interested to hear your
feedback on how we are doing in this area, and we There are three main reasons for these shortcomings.
have developed a survey to collect your comments. First, some firms do not appreciate the gravity of
this risk. Second, they lack the expertise to make a
You can find all the articles as follows: reasonable assessment of risk factors and devise
ways of mitigating them. Third, they fail to devote
• Data security, pages 2 and 3
adequate resources to address this risk.
• Risk-based approach to anti-money laundering,
The efforts firms make tend to focus heavily on
pages 3 and 4
information-technology controls such as anti-
• APACS fraud data, page 4 intrusion software. At the same time, firms
often overlook common-sense controls in office
• Scale and impact project, pages 4 and 5 procedures such as passwords, secure waste bins
• Other news in brief, pages 5 and 6 for confidential paper, and filing-cabinet locks.
This is not FSA guidance Page N 2
We recognise that many firms are just beginning We hope and believe firms will use these findings
to set up appropriate controls and need direction to assess any potential deficiencies in their own
in this area. To meet this need, our report and systems and controls. We have warned of the high
accompanying factsheets aimed at small firms risk posed by poor information security standards
include useful and detailed examples of good in each of the last five editions of our Financial
practice. Some important practices are: Risk Outlook, and in future we will consider
enforcement action where firms continue to fail
• senior management taking responsibility for to meet the required standards.
• risk assessment which is acted on;
The risk-based approach to
• written policies and procedures that are
proportionate, accurate and relevant;
We have recently completed a major review of
• detailed plans for reacting to data loss, and
firms’ implementation of a risk-based approach to
communicating with customers about what
AML, and on 14 March 2008 we published our
findings. The published report, which was the first
• simple and memorable guidance for all staff; piece of thematic work produced by our newly
expanded Financial Crime Operations team,
• regular vetting to ensure that staff are not highly involved visits to 43 firms in total. These ranged
vulnerable to the temptation of data theft; from major high street banks, building societies,
insurers and asset managers to some very small
• individual user accounts for customer
firms in both the wholesale and retail sectors. In
addition, we gathered information from around
• robust passwords containing a mixture of 90 small firms using a high-level survey. The
letters, numbers and keyboard symbols; overall aim of the project was to establish the
extent to which a wide range of firms had adapted
• secure disposal of confidential waste, using to replacing detailed AML regulatory rules with
shredders or disposal services; and much more high-level AML systems and controls
• checks to ensure that third-party suppliers obligations, fleshed out by industry-written
(such as IT providers and cleaners) have JMLSG guidance. Firms also have to abide by
equally robust systems and trustworthy staff. their legal obligations under the Money
Laundering Regulations 2007.
This good practice is not defined as formal
guidance from the FSA. But firms should use it Our report covered the key aspects of a firm’s
to ensure they have a proportionate, risk-based AML systems and controls and, to help with
approach to data security, taking into account analysis and comparison, we categorised our
their customer base, business and risk profile. findings by size of firm: large, medium and small.
These findings included observations of good
Firms have legal and regulatory responsibilities to practice adopted by firms, as well as some
safeguard their customers’ data. Our Principles for examples of poor practice.
Business require firms to conduct business with due
skill, care and diligence, to take reasonable care Overall, we were pleased to find many examples of
to organise and control their affairs responsibly good practice, particularly in the way that large
and effectively, with adequate risk management firms had fully embraced both the risk-based
systems. We also require firms to ‘take reasonable approach to AML and senior management’s
care to establish and maintain effective systems and accountability for putting in place, and maintaining,
controls … for countering the risk that the firm an effective AML control environment. While we
might be used to further financial crime’ (rule recognise that smaller firms have fewer resources to
3.2.6R in our Senior Management Arrangements, devote to money laundering risk assessment and
Systems and Controls Sourcebook). risk mitigation measures, we still found clear room
for improvement in some firms. In particular, firms
This is not FSA guidance Page N 3
must ensure their staff are adequately trained, and £73.0m in 2004. Online banking fraud losses are
they should not treat reviewing their AML policies also down. They have decreased to £22.6m, a
and procedures as a one-off exercise. 33% drop compared to 2006.
An example of good practice that we quoted in According to APACS, overseas fraud now
the report was senior management responsibility. accounts for 39% of total card fraud losses.
One major bank decided to appoint the money APACS urges countries who have not already
laundering reporting officer’s line manager as the done so to upgrade to the chip and PIN system
designated director with overarching responsibility that has worked so well in the UK.
for AML controls. This director was seen as the
obvious choice for the role, given that his portfolio However, cheque fraud losses and card-not-present
of responsibilities included fraud, risk and money fraud losses both increased, reminding us and the
laundering. The bank’s decision formally to industry that fraud prevention is still vital in the
appoint a Board-level senior manager to this fight against financial crime.
position was viewed as reinforcing the importance We take fraud, and indeed all financial crime in
of having a robust AML control framework in the UK, very seriously, since reducing the extent
place. The director then decided the management to which businesses can be used for a purpose
information on AML issues he had previously connected with financial crime is one of our four
received was too unplanned and fragmented. So statutory objectives. We are currently undertaking
the rule changes proved to be a catalyst for the several projects on fraud, including investigating
bank establishing more organised management how common it is in the mortgage industry and
information and a group-level Financial Crime looking at the risks surrounding customers’ data
Risk Committee to consider relevant issues. in the hands of third-party suppliers.
In contrast, we found some small firms did not We are also increasing the number of our
have a robust approach to classifying the money supervisory visits for the coming year to ensure
laundering risk associated with their clients. In one that FSA-regulated firms have adequate systems
case, a wholesale small firm classified all its clients and controls in place to counter the risk that
as medium or low risk, despite most of them being they might be used to further financial crime.
based in Eastern Europe, North Africa and the
Middle East. For the full APACS press release please visit:
Our report (available on our website) contains
several examples of good and bad practice, and
firms might find it helpful when reviewing their Scale and impact of financial crime
As a risk-based regulator, we aim to target our
resources at the areas of greatest risk to our
APACS release 2007 fraud figures statutory objectives. For financial crime, our
ability to do so is limited as there is no generally
APACS, the UK payments association, have accepted way of measuring the scale of financial
released their card fraud figures for 2007. crime or the social harm caused as a result; nor
The report shows that total card fraud losses rose can we compare the severity of the different types
by 25% in the past year to £535.2m and APACS of financial crime.
say this is mainly down to the 77% (£90.5m) In light of this, we have established the Scale and
increase in fraud committed overseas by criminals Impact Financial Crime Project to help us get a
using card details stolen from the UK. In contrast, better measure of the impact of all types of
domestic fraud dropped, as a result of the stricter financial crime in the UK, and know where to
controls in the chip and PIN system. focus our resources.
Fraud on lost and stolen cards is at its lowest rate The project has been split into two phases, with the
for ten years and losses from face-to-face start of Phase II depending on the results of Phase I.
transactions are down by 66% from £218.8m to
This is not FSA guidance Page N 4
Phase I, which is underway, is a critical analysis Financial crime perceptions survey
of all published work and current projects on the
scale and impact of financial crime; the methods During the last few months, we have been running
used to measure or assess the scale and/or impact a survey of stakeholders and regulated firms to
or harm; and the quality of the results. explore their perceptions of financial crime. The
survey looked at perceived increases and decreases
We will categorise financial crimes by their harm in financial crime, and also the performance of the
and measurability. And we will try to identify FSA and other bodies in tackling it. We conducted
what mechanisms we, given our legal powers, a similar survey last year, which was designed to
can realistically use to bring about a reduction act as a benchmark for future years.
in financial crime.
Early results show that most firms believe
The conclusions from Phase I, which we will financial crime will increase over the next two
deliver by the end of the second quarter of 2008, years. However, it’s encouraging that firms are
will give us a clearer idea of whether Phase II of finding it easier to make a business case for
the project is feasible. allocating resources to tackle financial crime.
In Phase II, we hope to be able to develop concepts We will publish an article on the detailed results in
and methodologies for measuring the scale and our next financial crime newsletter. The results of
impact of financial crime. We plan to use these last year’s survey can be found on our website at
tools to repeat the assessment regularly, enabling www.fsa.gov.uk/pubs/consumer-research/crpr58.pdf.
us to identify trends in the scale, frequency and
impact of financial crimes over time and make
Mortgage fraud enforcement action
any necessary adjustments to our resources.
On 5 March, we published a final notice against
We realise this is an ambitious project. If Phase II
Andrew Talai Kiplimo, a mortgage introducer from
goes ahead, we expect to publish the results by
East London. This is the first time we have taken
the end of 2009.
action against a mortgage introducer. Mr Kiplimo
is no longer allowed to work in the financial
services industry. A lender gave us information that
News in brief which led us to believe that he was responsible for
submitting mortgage applications containing false
News from the Financial Action Task Force information, including substantially inflated
income and false employment details. Mr Kiplimo
The Financial Action Task Force (FATF), an AML
was then removed from a lender’s panel, but
and CFT standard-setting body, met in Paris last
continued to submit mortgage applications.
month. The FATF issued a warning of the higher
risks of money laundering and terrorist financing These fraudulent applications, combined with
posed by deficiencies in six jurisdictions: Mr Kiplimo’s conduct during the enforcement
Uzbekistan, Iran, Pakistan, Turkmenistan, São investigation, have led us to the conclusion that
Tomé and Príncipe, and the northern part of he is not a fit and proper person to perform any
Cyprus. In the case of Iran, this reiterates an role in connection with regulated activities, and
earlier advisory notice issued in October 2007. we advise brokers and lenders to exercise caution
Following this statement, the Treasury issued a if he tries to send them business. For more details
press notice supporting the FATF’s work in this of the case, please see the final notice, which is
area and providing advice to firms. This notice available on our website at
is available on the Treasury’s website. www.fsa.gov.uk/pubs/final/kiplimo.pdf.
This is not FSA guidance Page N 5
We are aware of recent bogus communications
If you would like to be added to our distribution
claiming to be from the Financial Services Authority
list to receive this newsletter, or have any
(FSA) or the Financial Ombudsman Service (FOS),
questions about the content please email us at
asking the recipient for personal information.
These communications can be in the form of
phonecalls, emails or letters and they sometimes
use the name of a current or former employee and
provide a false contact number. We advise you to
remain vigilant to these hoaxes and to encourage
your colleagues to be alert.
If you are in any doubt about the authenticity of
a communication from the FSA or FOS, you can
contact one of the telephone numbers below:
• Authorised firms in the UK: 0845 606 9966
(call rates may vary)
• General public in the UK: 0845 606 1234
(call rates may vary)
• Overseas callers: +44 20 7066 1000
FOS – 0845 080 1800 (call rates may vary)
New members of the Financial Crime
Arshad Rahman has joined as the new manager
of the Financial Crime Sector team, having
previously worked in enforcement, listing and
risk management. He recently returned from a
secondment to the City of London Police, where
he was responsible for planning the set up of the
National Fraud Reporting Centre and National
Fraud Intelligence Bureau.
We also welcome Martin Shaw , who will manage
financial crime communications. Martin comes
from Consumer Communications where he has
been working on our Moneymadeclear advertising
campaigns. We hope to improve communications
with our stakeholders and as a first step we would
welcome your thoughts on how we are doing.
Please fill in our short online survey at
www.fsa.gov.uk/crime/survey and have your say.
This is not FSA guidance Page N 6