Financial crime

 

In the second half of 2008 we reviewed how financial services firms in the UK are addressing financial crime risks in functions they have moved to offshore centres.

The review follows on from our report into data security in financial services (April 2008).
The main financial crime risks we reviewed were:

  • customer data being lost or stolen and then used to facilitate fraud
  • money-laundering; and
  • fraud

Key findings

Our main conclusions from the review are as follows:

  • There are good data security controls but continued effort is needed to ensure those controls do not break down and that they remain valid and risk based.
  • High staff turnover presents a high financial crime risk, particularly around staff training. It is important that firms have in place appropriate vetting controls to fill gaps left by inadequate local electronic intelligence and search systems. Firms may want to consider using third-party recruitment specialists because of their local knowledge.
  • Local staff with financial crime responsibilities must be given proper financial crime training over and above their intimate knowledge of technical processes. Financial crime training in India needs to be better supported by financial crime teams in the UK. There is more information on the findings of our review in the following sections:
  • Data security: physical controls
  • Staff recruitment and vetting
  • Reporting suspicions
  • Training

Data security: physical controls

Following on from our report into data security controls in financial firms (April 2008), risk of data loss in an offshore environment is a key regulatory concern. In all the firms that we visited, senior management told us that safeguarding customer data was a top priority, and that data security lapses presented the greatest financial crime risk to their business. We found that all the firms visited had controls in place to reduce this risk, and that generally these controls were on a par with our review of data security controls of firms in a UK environment.

Firms have generally adopted a risk-based approach successfully, and we found good examples of the proportionate approach we expected. For example, all the firms that we visited held their customer data on servers in the UK, with access to this information in India via encrypted data links. As a result, staff in India could not access bulk data and data was generally only accessed one record at a time. At one firm that we visited, this prevented staff from searching for the details of high net worth customers. This was an effective control to mitigate the risk of staff fraud. All the offices visited had tight controls over the use of data storage devices such as mobile phones, memory sticks and CDs. Other areas vulnerable to data theft, such as printing facilities, web-based email and the use of laptops were also well controlled.

However, we also found some examples of poor practice. Some firms we visited did not have an effective system for granting staff an appropriate level of access to data. These firms allowed staff access to more information than they needed to do their job, and in certain cases access rights were not reviewed or deleted promptly, for example when staff left or moved within an organisation. Moreover, we identified that high staff turnover was a key risk which means that logical access controls can become out of date if not regularly audited. Firms need to keep these controls under constant review and ensure that access controls keep pace with any organisational and technological changes.

Most firms operated a workflow system that provides a solid control structure to prevent collusion but other controls based on the local environment are needed to control the workflow system properly. Checks are needed to ensure that sign-off is not manipulated by fraudulent staff through sharing of passwords or work terminals.

Back to topBack to top

Staff recruitment and vetting

All the firms visited had high staff turnover rates and consequently a need for constant recruitment.  This was recognised in all cases as a key financial crime risk, given the continuing risk of infiltration of financial services institutions by organised criminal groups seeking to obtain sensitive customer data.  In a number of firms that we visited staff vetting procedures were inconsistent and did not apply to all staff, which increases the risk that firms may inadvertently take on a person with a criminal background or a poor employment history.  

We found poor practices relating to staff vetting in some of the business process out-sourcing firms that we visited, where the regulated firm had not incorporated proper staff vetting in the service level agreement.  For example in two firms there was reliance on obtaining only a name and mobile telephone number to verify the previous employment history of a new recruit.  Firms need to apply a much higher level of vigilance to mitigate this risk.

Where staff are required, often at short notice, to move to a higher risk role, firms must resist the operational pressure to cut corners and must continue to ensure that adequate vetting is carried out.

The use of professional third parties to carry out recruitment checks can bring a greater level of expertise to the process and, potentially, economies of scale.  We found the quality of checks to be generally better in firms that used third-party specialists. 

We were informed that fake CVs, inconsistent references, and previous employers being reluctant to provide references or share data were common in India.  India does not have the electronic database infrastructure in place to allow fast, effective checking of the bona fides of individuals. So firms need to apply a wide range of strategies to fill this gap.

Reporting suspicions

There were often mechanisms in place for reporting suspicion independently of the normal reporting line.  But the tendency was for operatives to raise issues with their immediate team leader or manager.  This can be beneficial in stopping inappropriate referrals but also result in valid suspicions being blocked.  Firms should keep a central record of such issues and audit them periodically.

The right working environment is vital to a harmonious approach to financial crime reporting.  An open, no-blame culture should be sponsored by senior management with a single point of contact for financial crime in each firm and a system to bring all financial crime issues together.  Senior management in the UK must be sure of being in possession of all the management information on financial crime that is available.  Management information on financial crime needs to be pulled together so that the Board can satisfy itself that it knows where the financial crime risks are.

In firms that used a business process out-sourcer (BPO), there were no financial crime measures within the contract or Service Level Agreement and so no incentive for financial crime issues to be raised by BPO firms with their UK counterparts.  The consideration of financial crime measurement should be included within the negotiation or re-negotiation of the contract or Service Level Agreement.

Back to topBack to top

Training

Firms need to have appropriate training to ensure that staff are equipped to identify and report incidences of financial crime. We found that the quality of staff training was generally poor – mainly as a result of the high level of staff attrition and consequent high level of recruitment, which makes it difficult for firms to maintain effective training on financial crime.  Nevertheless, firms must do more to ensure that staff are equipped to identify and report all potential financial crime risks.  

All the firms we visited provided training on some aspects of financial crime as part of their induction, generally via a computer-based training (CBT) package.  We found the best results where this was appropriately tailored to the firm and to the business processes undertaken.  Most firms had a generic anti-money laundering training CBT package in order to satisfy legal and regulatory requirements.  However, the training programme did not always cover other areas of financial crime risk such as fraud or data security.  Most firms supplemented the CBT with face-to-face training of some type.  This was usually the responsibility of the local Money Laundering Reporting Officer (MLRO), money laundering champion or fraud champion to deliver this training.  However these individuals, who tended to be experts in a particular work process did not generally have adequate overall financial crime expertise, and were not best placed to communicate the key financial crime messages to staff.

This resulted in few referrals of money laundering or fraud suspicion from the operatives or too many referrals of little or no value to law enforcement.  In addition, we saw few signs of incentives for staff to report financial crime risks, for example, through a staff whistleblowing line and those that were in place had either become stale or were generally unused.  We believe that firms should review their financial crime training to improve the capability of those staff with responsibility for training and to incentivise staff in the area of financial crime reporting.

Back to topBack to top