White Paper: A summary of the FSA thematic review


Published on

A summary of the FSA thematic review on Anti-bribery and Corruption Systems and Controls in Investment Banks

Published in: Economy & Finance, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

White Paper: A summary of the FSA thematic review

  1. 1. LexisNexis Red paper A summary of the FSA thematic review on Anti-bribery and Corruption Systems and Controls in Investment Banks By Mark Dunn Market Planning Manager, Risk and Compliance Business Information Solutions
  2. 2. Index 3 Introduction 4 Assessing bribery and corruption risk 5 Policies and procedures 6 Third party relationships and due diligence 7 Payment controls 8 Gifts and hospitality 9 Staff recruitment and vetting 9 Remuneration structures 10 Training and awareness 10 Incident reporting and management 11 Case studies 11 Assessing bribery and corruption risk 11 Looking ahead LexisNexis has a world-class reputation for providing critical business tools. For over 30 years we have been pioneers in intelligence and risk management. As a digital pioneer, the company was the first to bring legal and business information online with its Lexis® and Nexis® services. Today, LexisNexis harnesses leading-edge technology and world-class content to help professionals work in faster, easier and more effective ways. Our solutions are used internationally by financial services, legal and accountancy firms and blue chip multinational companies to enhance business decision making, fulfil regulatory requirements and for premium information research. LexisNexis serves customers in more than 100 countries with 10,000 employees worldwide.
  3. 3. The following review will focus on the consolidated examples of good and poor practice highlighted by the FSA. In March 2012, the UK Financial Services Authority (FSA) published their thematic review on Anti-Bribery and Corruption Systems and Controls in Investment Banks. The thematic review was conducted between August 2011 and January 2012. The FSA met with 15 firms in the UK including global investment banks and smaller firms focused on specialist investment banking business. All firms conducted business with countries, sectors or types of clients that carried potential risks of bribery and corruption. Overall, despite the high profile of the issue, the investment banking sector has been too slow and too reactive in managing bribery and corruption risks. Tracey McDermott, Acting Director Enforcement and Financial Crime Division Prior to meeting firms, the FSA also consulted with a number of stakeholders including the Serious Fraud Office, the Serious Organised Crime Agency, the Ministry of Justice, the British Bankers’ Association and Transparency International. The FSA’s findings are highly critical of banks’ anti-bribery and corruption systems and controls. The FSA emphasizes that, despite focusing specifically on a selection of investments banks: “We expect regulated firms in all sectors to consider our findings and examples of good and poor practice, as they may also be relevant to firms in other sectors which are subject to our financial crime rules in SYSC 3.2.6R or SYSC 6.1.1R.” This point is reinforced by reminding authorised firms of the FSA’s obligations under The Financial Services and Markets Act 2000 to: • Reduce the extent to which it is possible for a financial business to be used for a purpose connected with financial crime because bribery and corruption are financial crimes; and • Maintain market confidence, because bribery and corruption distorts competition and could affect the UK financial market’s reputation.  Page 3
  4. 4. ABC systems and controls in investment banks Examples of good and poor practice Assessing bribery and corruption risk Examples of Good Practice Examples of Poor Practice • Responsibility for carrying out a risk assessment and keeping it up to date is clearly apportioned to an individual or a group of individuals with sufficient levels of expertise and seniority. • The risk assessment is a one-off exercise. • The firm takes adequate steps to identify the bribery and corruption risk, for example by using a range of expertise from both within and outside the business. • Risk assessment is a continuous process based on qualitative and relevant information available from internal and external sources. • Efforts to understand the risk assessment are piecemeal and lack coordination. • Risk assessments are incomplete and too generic. • Firms do not satisfy themselves that staff involved in risk assessment are sufficiently aware of, or sensitised to, bribery and corruption issues. • Firms consider the potential conflicts of interest which might lead business units to downplay the level of bribery and corruption risk to which they are exposed. • The ABC risk assessment informs the development of monitoring programmes; policies and procedures; training; and operational processes. • The risk assessment demonstrates an awareness and understanding of firms’ legal and regulatory obligations. • The firm assesses where risks are greater and concentrates its resources accordingly. • The firm considers financial crime risk when designing new products and services. Page 50. FSA March 2012. Proposed new guidance is bold. LexisNexis view An awareness of a third party’s true risk profile is essential and therefore the resources used to conduct enhanced due diligence are critical. If the risk profile is “flattened” and all clients are treated equally the risks are hidden and the ability to speed through some clients and focus more on higher risk clients is lost. Accessing the breadth and depth of global data needed to do this effectively in a single platform ensures comprehensive checks can be performed quickly and appropriate risks managed. With the UK Bribery Act 2010 coming into force and active enforcement of the US Foreign and Corrupt Practices Act, it is also important that risk assessment criteria reflect corruption risk indicators. The FSA’s focus on PEPs and their potential link to corruption will undoubtedly increase going forward. A structured and consistent approach to risk scoring based on recognised standards is essential. An audit trail of all decisions taken and the due diligence research performed to make those decisions helps to ensure the ABC process covers all the checks and balances required for future monitoring and review. This means consistent access to archived data is key as trying to retain simple web links often means news and other online information are lost as websites update and refresh their content, thereby putting the integrity of the regulatory audit trail at risk. An effective approach to simplified and enhanced due diligence requires access to comprehensive research information quickly and in a cost-effective manner. Company data may be readily available in the UK but finding this type of information in emerging markets deemed a higher risk can be expensive and difficult to obtain. Licensed PEP lists are useful but not comprehensive enough (according to the latest FSA review), therefore broader media checks are also needed. LexisNexis relies on licensed, indexed, archived data to ensure results remain consistent. Our archive now stretches back over 35 years, facilitating extensive due diligence checks with a robust audit trail included as standard. Page 4
  5. 5. ABC systems and controls in investment banks Examples of good and poor practice Policies and procedures Examples of Good Practice Examples of Poor Practice • The firm clearly sets out the behaviour expected of those acting on its behalf. • The firm has no method in place to monitor and assess staff compliance with ABC policies and procedures. • Firms have conducted a gap analysis of existing ABC procedures against applicable legislation, regulations and guidance and made necessary enhancements. • Staff responsible for the implementation and monitoring of ABC policies and procedures have inadequate expertise on ABC. • The firm has a defined process in place for dealing with breaches of policy. • The financial crime/compliance team engage with the business units about the development and implementation of ABC systems and controls. • ABC policies and procedures will vary depending on a firm’s exposure to bribery and corruption risk. But in most cases, firms should have policies and procedures which cover expected standards of behaviour; escalation processes; conflicts of interest; expenses, gifts and hospitality; the use of third parties to win business; whistleblowing; monitoring and review mechanisms and disciplinary sanctions for breaches. These policies need not be in a single ‘ABC policy’ document and may be contained in separate policies. • There should be an effective mechanism for reporting issues to the ABC committee or compliance. Page 51. FSA March 2012. Proposed new guidance is bold. LexisNexis view Keeping the compliance team and key staff updated with changing risk indicators and regulator expectations needn’t be a costly and cumbersome exercise. The onset of poor practices is more common when resources are tight and adequate support is not offered to the compliance function. LexisNexis works with thousands of financial institutions of all sizes, offering scalable solutions that meet the needs and budgets of most organisations. Increasingly organisations are being more selective in their use of different training materials and technology to deliver updates to staff. LexisNexis supports this by separating PEPs into the relevant categories to ensure only the most relevant matches are delivered. Domestic PEPs can be switched on or off as needed, however there is a growing trend to include them as standard. When multiple systems are deployed gaps in the ABC process can be unavoidable. We help our clients ensure they have a consistent end-to-end process based on a single platform. Training and tutorials that are targeted to the requirements of specific personnel and the risks they manage can be delivered via short webinar updates and supplements to the comprehensive training undertaken by staff when they join the firm. For example, the definition of a PEP is not consistent across all jurisdictions so it is key that careful attention is given to this area. Page 5
  6. 6. ABC systems and controls in investment banks Examples of good and poor practice Third party relationships and due diligence Examples of Good Practice Examples of Poor Practice • Where third parties are used to generate business, these relationships are subject to thorough due diligence and management oversight. • A firm using intermediaries fails to satisfy itself that those businesses have adequate controls to detect and prevent staff using bribery to generate business. • Third party relationships are reviewed regularly, and in sufficient detail, to confirm that they are still necessary and appropriate to continue. • The firm fails to establish and record an adequate commercial rationale for using the services of third parties. • There are higher, or extra, levels of due diligence and approval • The firm is unable to produce a list of approved third parties, associated due diligence and details of payments made to them. • There is appropriate scrutiny of, and approval for, relationships with third parties that introduce business to the firm. • There is no checking of compliance’s operational role in • The firm’s compliance function has oversight of all third party relationships and monitors this list to identify risk indicators, eg a third party’s political or public service connections. • A firm assumes that long-standing third party relationships present no bribery or corruption risk. • Evidence that a risk-based approach has been adopted to • A firm relies exclusively on informal means, such as staff’s personal knowledge, to assess the bribery and corruption risk associated with third parties. • Enhanced due diligence procedures include a review of the • No prescribed take-on process for new third party relationships. • Consideration, where appropriate, of compliance involvement in interviewing consultants and the provision of anti-corruption training to consultants. • A firm does not keep full records of due diligence on third parties and cannot evidence that it has considered the bribery and corruption risk associated with a third party relationship. • Inclusion of ABC-specific clauses and appropriate protections in contracts with third parties. • The firm cannot provide evidence of appropriate checks to identify whether introducers and consultants are PEPs. for high risk third party relationships. identify higher risk relationships in order to apply enhanced due diligence. approving new third party relationships and accounts. third party’s own ABC controls. • Failure to demonstrate that due diligence information in another language has been understood by the firm. Page 52. FSA March 2012. Proposed new guidance is bold. LexisNexis view A primary goal for the compliance function is to have a consistent approach to onboarding which ultimately improves customer service and provides a competitive edge. By auditing the local and international systems used for third party due diligence, the business is able to demonstrate consistent compliance. Risk solutions from LexisNexis enable approval of new third parties at the appropriate level and escalation to senior management for review when needed. All information gathered on an entity can be collated into one file and forwarded together with any notes, providing an efficient and auditable review process. A separate file is created for all PEPs and high risk entities, making closer ongoing monitoring straight forward and routine. It is possible to allow Business Managers minimal “privileges” and for any red flags to automatically drive escalation to Compliance, ensuring an appropriate risk-based approach at each stage. Using PEP databases in isolation is not sufficient and broader news checks are needed to clearly identify associations and other high risk indicators. Building an end-to-end workflow that looks across broader data sets also ensures ongoing monitoring is regular and efficient. By seamlessly combining the initial onboarding process with an ongoing monitoring process, all alerts can be handled in the same manner and a consistent approach is guaranteed. Page 6
  7. 7. ABC systems and controls in investment banks Examples of good and poor practice Payment controls Examples of Good Practice Examples of Poor Practice • Ensuring adequate due diligence on and approval of third party relationships before payments are made to the third party. • Failing to check whether third parties to whom payments are due have been subject to appropriate due diligence and approval. • Risk-based approval procedures for payments and a clear understanding of the reason for all payments. • Checking third party payments individually prior to approval, to ensure consistency with the business case for that account. • Regular and thorough monitoring of third party payments to check, for example, whether a payment is unusual in the context of previous similar payments. • Failing to produce regular third party payment schedules for review. • Failing to check thoroughly the nature, reasonableness and appropriateness of gifts and hospitality. • No absolute limits on different types of expenditure, combined with inadequate scrutiny during the approvals process. • A healthily sceptical approach to approving third party payments. • Adequate due diligence on new suppliers being added to the Accounts Payable system. • Clear limits on staff expenditure, which are fully documented, communicated to staff and enforced. • Limiting third party payments from Accounts Payable to reimbursements of genuine business related costs or reasonable hospitality. • Ensuring the reasons for third party payments via Accounts Payable are clearly documented and appropriately approved. • The facility to produce accurate MI to assist effective payment monitoring. Page 53/54. FSA March 2012. Proposed new guidance is bold. LexisNexis view Implementing consistent and robust procedures for handling payments to third parties is an essential part of an ABC process. The FSA stresses the importance of having in place effective due diligence and associated approval processes before a third party is entered into the Accounts Payable system. Clearly documented, communicated and acknowledged limits on staff expenditure are also highlighted by the FSA as an example of good practice, enabling staff to know exactly what is allowable and to drive consistent and ethical payment behaviour. In addition, a thorough audit trail should be a prerequisite for any Accounts Payable process. Enabling Compliance to be able to follow the paper trail is critical should a suspicious payment require further investigation or to allow the firm to simply demonstrate to supervisory authorities examples of what payments were made and why to a particular third party. This should be supported by regular reviews and ad hoc spot checks to ensure the payment controls in place continue to remain robust and appropriate to the firm’s business and its risk-based approach to anti-bribery and corruption. Such reviews, accompanied by effective management intelligence, will also enable the firm to identify and consider potential improvements in the payment process bringing valuable benefits to the overall business. Page 7
  8. 8. ABC systems and controls in investment banks Examples of good and poor practice Gifts and hospitality Examples of Good Practice Examples of Poor Practice • Policies and procedures clearly define the approval process and the limits applicable to G&H. • Senior management do not set a good example to staff on G&H policies. • Processes for filtering G&H by employee, client and type • Acceptable limits and the approval process are not defined. of hospitality for analysis. • Processes to identify unusual or unauthorised G&H and deviations from approval limits for G&H. • The G&H policy is not kept up to date. • G&H and levels of staff compliance with related policies are not monitored. • Staff are trained on G&H policies to an extent appropriate to their role, in terms of both content and frequency, and regularly reminded to disclose G&H in line with policy. • No steps are taken to minimise the risk of gifts going unrecorded. • Cash or cash-equivalent gifts are prohibited. • Failure to record a clear rationale for approving gifts that fall outside set thresholds. • Political and charitable donations are approved at an appropriate level, with compliance input, and subject to appropriate due diligence. • Failure to check whether charities being donated to are linked to political causes. Page 55. FSA March 2012. Proposed new guidance is bold. LexisNexis view Given all the media attention focused on corporate hospitality and the UK Bribery Act, it is critical that firms have in place a very clear gifts and hospitality policy. Of all the issues leading up to the enactment of the Bribery Act, gifts and hospitality (G&H) received the most attention. The FSA stresses the need for a gifts and hospitality (G&H) policy that is “proportionate, unambiguous and effectively implemented”. Firms need to remember that if a case of suspected bribery or corruption is brought to court, they may need to be able to clearly articulate what their G&H policy is and why, what could be perceived by some as lavish, hospitality is acceptable within the market in which they operate. It is important to be able to demonstrate how management leads by example on appropriate G&H standards. Firms should also clearly define G&H limits, implement approval and monitoring processes and be wary of their approach to political and charitable donations. Page 8
  9. 9. ABC systems and controls in investment banks Examples of good and poor practice Staff recruitment and vetting Examples of Good Practice Examples of Poor Practice • Vetting staff on a risk-based approach, taking into account financial crime risk. • Failing to carry out repeat checks to identify changes that could affect an individual’s integrity and suitability. • Enhanced vetting – including checks of credit records, criminal records, financial sanctions lists, commercially- available intelligence databases– for staff in roles with higher bribery and corruption risk. • No risk based processes for identifying staff who are PEPs or connected to PEPs. • Conducting periodic checks to ensure that agencies are complying with agreed vetting standards. • Where employment agencies are used to recruit staff, failing to demonstrate a clear understanding of the checks these agencies carry out on prospective staff. • Temporary or contract staff receiving less rigorous vetting then permanently employed colleagues carrying out similar roles. Page 55. FSA March 2012. Proposed new guidance is bold. LexisNexis view Although ABC due diligence often focuses on sales agents and other third party business partners, it is important to ensure that the risk of employees committing bribery is also being adequately mitigated. Most firms visited had employee screening covering areas such as previous employment, credit and criminal records checks. In some cases, enhanced employee screening is conducted against sanctions, negative news, PEP and specialist fraud databases like CIFAS. However, the FSA reminds firms to consider which employees pose the higher risk when conducting checks, and not just to apply to senior personnel. The use of outsourced agencies to conduct employee vetting was highlighted by the FSA and their expectation that firms have a good understanding of the types of checks such providers conduct. The FSA also recommends firms undertake periodic checks to ensure that outsourced employee screening agencies are complying with agreed vetting standards. Remuneration structures Examples of Good Practice Examples of Poor Practice • Remuneration takes account of good compliance behaviour, not simply the amount of business generated. • Failing to reflect poor staff compliance with anti-bribery and corruption policy and procedures in staff appraisal and remuneration. • Identifying higher risk functions from a bribery and corruption perspective and reviewing remuneration structures to ensure they do not encourage risk taking. Page 55. FSA March 2012. Proposed new guidance is bold. LexisNexis view Firms should be fully aware of the FSA Renumeration Code, its relevance to their business and review the Code in light of the Bribery Act. Firms need to be wary of implementing payment schemes which reward staff for taking unacceptable risks that could lead to bribery and corruption. The FSA reminds firms of the standards that banks, building societies and some investment firms must adhere to under the FSA Remuneration Code. The majority of firms sampled had not reviewed this Code in light of the Bribery Act. Instead, most firms relied on the staff appraisal process to address adherence to firm ethics and compliance. Page 9
  10. 10. ABC systems and controls in investment banks Examples of good and poor practice Training and awareness Examples of Good Practice Examples of Poor Practice • Providing good quality, standard training on anti-bribery and corruption for all staff. • Failing to provide training on ABC that is targeted at staff with greater exposure to bribery and corruption risks. • Ensuring training covers relevant and practical examples. • Failing to monitor and measure the quality and effectiveness of training. • Keeping training material and staff knowledge up to date. • Awareness raising initiatives, such as special campaigns and events to support routine training, are organised. Page 55. FSA March 2012. Proposed new guidance is bold. LexisNexis view Ensuring staff understand and apply the firm’s ABC policy is critical. To be most effective, ABC training should be tailored to reflect the firm’s culture, business model and risk-based approach. Unsurprisingly, the methods of training adopted by firms varied according to the size of the organization. However, the FSA emphasizes the need for firms to develop more tailored training aligned to their risk-based approach. The FSA points out that many firms had not considered ABC training before the Bribery Act and “therefore had not met their regulatory obligations”. The importance of keeping training material and staff knowledge up to date is one of several examples of good practice highlighted by the report. Failing to monitor and measure the quality and effectiveness of training is considered a weakness. Incident reporting and management Examples of Good Practice Examples of Poor Practice • Clear procedures for whistleblowing and the reporting of suspicions which are communicated to staff. • Failing to maintain proper records of incidents and complaints. • Details about whistleblowing hotlines are visible and accessible to staff. • Where whistleblowing hotlines are not provided, firms should consider measures to allow staff to raise concerns anonymously, with adequate levels of protection and communicate this clearly to staff. • Firms use information gathered from whistleblowing and internal complaints to assess the effectiveness of their ABC policies and procedures. Page 55. FSA March 2012. Proposed new guidance is bold. LexisNexis view Firms must have effective procedures for reporting and escalating bribery and corruption concerns. The FSA assessed firms’ processes covering complaints, reporting and whistleblowing. There were no serious failings uncovered in internal reporting procedures, with staff often aware of such processes from their ABC training. However, firms are reminded of the importance of maintaining proper records of reported incidents and complaints. Page 10
  11. 11. ABC systems and controls in investment banks Examples of good and poor practice Case studies The FSA review also includes a number of case studies highlighting areas that concerned the FSA during their onsite visits. The case studies include anonymised examples of failings in a number of ABC systems and controls. Selected examples include: Assessing bribery and corruption risk Subjective perception Quality of training • Some firms had selected business units • It is important for firms to be able to assess the quality and adequacy of their training. based on either a subjective perception of corruption risk or preference, rather than an informed decision based on objective criteria. • Three large firms had not completed a full bribery and corruption risk assessment. Furthermore, two of them had determined that bribery and corruption was high risk for their business but had not identified where or what the highest risks were. Page 17. FSA March 2012. Levels of expertise • A large firm said that multiple test failures were very rare domestically but not uncommon in foreign branches and subsidiaries, due to language barriers. This suggeststheir training for overseas staff was ineffective. Page 44. FSA March 2012. • We expect responsibility for carrying out a risk assessmentand keeping it up to date to be clearly apportioned to an individual or a group of individuals with sufficient levels of expertise and seniority. • One large firm had not assigned specific responsibility for oversight of risk assessment to an individual or group of individuals; rather, it was left to individuals responsible for conducting due diligence, although where risks were identified, these would be referred to compliance. We were concerned that, while the level of risk involved in specific business transactions was assessed, the firm had an incomplete view of the extent of its bribery and corruption risk. Page 19. FSA March 2012. Looking ahead Unsurprisingly, given the failings identified and highlighted in the report, the FSA press release hinted at possible future enforcement action being taken against some of the 15 firms sampled. The FSA also issued a consultation paper inviting comments on the proposed amendments to their Financial Crime: A guide for firms to incorporate the wealth of new material gathered during the thematic review. The FSA is considering whether further regulatory action is required in relation to certain firms in its review. … The FSA and, from next year, the Financial Conduct Authority will continue to focus on financial crime risks in this sector and beyond to ensure firms are meeting their legal and regulatory obligations. Tracey McDermott, Acting Director, Enforcement and Financial Crime Division Page 11
  12. 12. How LexisNexis helps organisations comply LexisNexis Risk solutions can protect your business in a number of ways – we simplify the compliance process, we reduce the related costs and we enable an effective risk based approach based on the right information at the right time. Our fast, intuitive solutions do not require any additional IT investment or training. All searches are time and date stamped providing you with the audit trail you need for the regulator. Manage enhanced due diligence checks on new and existing customers Conduct ongoing screening of existing customers Monitor high risk customers across the media Search on a company, individual or country through our online due diligence solution. Lexis Diligence searches global news and business information, sanctions and PEPs delivering accurate and relevant matches immediately. Results can be saved, printed or put into a report to enable a decision to be made on whether to progress the relationship. Monitor customers and other third-parties through LexisNexis Bridger Insight. Stay compliant and safeguard your organisation’s reputation by regularly monitoring high risk customers in case their status changes, as per your risk-based approach. Monitor news across all key media on your high risk third parties through your own early warning system. Be confident that your decisions are based upon content you can trust, and save valuable time with account opening or third party due diligence checks. Lexis Diligence is used by the world’s top five banks, law firms and blue chip companies to mitigate risk every day. Achieve a competitive advantage by speeding up the client acceptance process whilst maintaining necessary controls. Simply upload all the customers you need to monitor to LexisNexis Bridger Insight. You can screen as many companies and individuals as you need in one transaction. The list will be screened against our global sanctions, watch lists and PEP data and the results file returned for review. Any matches are clearly highlighted so that you can choose which alerts would merit further investigation in Lexis Diligence. Our superior fuzzy-name matching algorithm ensures better matches saving you valuable time and money investigating irrelevant results. t. +44 (0) 845 370 1234 e. risk@lexisnexis.co.uk w. www.lexisnexis.co.uk/risk Fuzzy matching is not used, ensuring you only get the relevant results you need to see. Automated monitoring enables you to anticipate and mitigate any financial and reputational risks to protect your organization. Using a unique mix of multi-lingual data mining and sentiment analysis techniques, supplemented by our in-house analysts’ expertise, LexisNexis Analytics automatically monitors internal, online and press coverage through a single interface. LexisNexis Analytics can also be used to monitor competitor movement, partner’s reputations and key customers and suppliers, arming you with invaluable insight.