Philip Robinson

Related information

Read further information on Financial Crime

 

The financial crime sector

 

Speech by Philip Robinson, Financial Crime & Intelligence Division Director
City and Financial Annual Financial Crime Conference
5th July 2007

Ladies and Gentlemen,

I am delighted to be here today, for the 4th time, to address City and Financial's annual financial crime conference. Today I want to take a look back over the last three years and take a look forward at the next three.

In April 2004, I gave a speech here entitled Anti-money laundering regulation – next generation developments. Last week in Paris, the FATF concluded its Mutual Evaluation of the UK's adherence to the FATF 40 + 9 Recommendations – the Global Standards for AML/CFT, so it seems a very sensible time to review the achievements of the last 3 years, consider how the FATF has assessed our performance, and look forward to the future.

Of course, financial crime is not just AML/CFT. It is a broad remit. After all, the FSMA text (Financial Services and Market Act) says that financial crime includes any offence involving:

  • fraud or dishonesty
  • misconduct in, or misuse of information relating to, a financial market; or
  • handling the proceeds of crime

This makes the scope very broad indeed.

So today I'll also try to provide, in less detail, the same look back and look forward for fraud and other financial crime.

Back to topBack to top

Before I do all that, I'd like to start with some comments about what the UK Threat Assessment, published by SOCA in July 2006, says about financial crime and what we said about financial crime in our Financial Risk Outlook, published in February this year.

Why do these reports matter? Well, in my view, they provide, increasingly effectively, the high-level risk assessment that firms need to have regard to in operating their own risk-based approaches to reducing financial crime.

The UK threat assessment 2006/7, paragraph 1.3 says:

"The UK Threat Assessment is a collaborative effort. It draws on information from a wide range of sources, both in the UK and abroad. In preparation for the creation of SOCA, this year it has involved a reappraisal of all the areas of serious organised crime judged to pose a significant threat to the UK, together with an extensive consultation process to ensure that the assessment represents the best understanding of those agencies most closely concerned with tackling the various threats."

The recently published Treasury AML strategy says that the UK Threat Assessment:

"Provides a best picture of the problem, prepared by law enforcement, intelligence and policy organisations, and is updated annually".

The FSA publishes in its annual Financial Risk Outlook the key risk areas it wants to bring to the attention of its stakeholders, particularly the industry it regulates. It is not an exhaustive list – we have many more risks on our internal risk logs! – But it does contain the ones we consider it is most important to draw peoples' attention to.

Why do we do this? The foreword to the FRO says:

"We publish the Financial Risk Outlook to raise awareness of the key risks present in our operating environment and to increase understanding of our actions. It also contributes to our objective of promoting public understanding of the financial system. We hope that firms and consumer organisations will find it a useful addition to their own risk management and planning".

So, we expect the management of firms, who may be in areas affected by the risks we identify, or are doing things identified by us as of particular concern, should consider how the risks are manifesting in their businesses and whether their mitigation plans are both properly designed and effectively implemented.

You might be interested to note, for example, that in 2004, 2005, 2006 and 2007 we highlighted information security as a priority risk. After three years of alerting firms to this risk we considered it appropriate to take some public enforcement action where it was clear that these alerts had not been translated into effective risk mitigation procedures. So what would you do in my position if you found continuing failure after four years of repeated expressions of concerns about firms' information security by the FSA?

I am keen not to generate a new 'fear factor' here; we remain proportionate and risk-based and do not expect zero-failure, as the firms who have been subject to the 20 or so significant instances of data loss in the last six months can testify. But if we are to truly operate the sort of intelligence led, alert driven, risk-based approach to reducing Financial Crime we have been working for, and the industry has been asking for, over the last 3 years, than the industry needs to respond to the intelligence alerts when they are given to it.

If you do not agree with SOCA Threat Assessment, or what the FSA puts in the Financial Risk Outlook, then tell us. I have checked, and so far this year neither SOCA nor the FSA has received any contrary feedback about the financial crime content of these documents so I guess you agree with what's in them! The question to you, then, is what are you doing about what they say?

Back to topBack to top

Looking back

I said I would look back at what has happened, so, let's start with anti-money laundering.

In 2004, what did we see? As I put it in my speech in April 2004,

"Far too many firms do anti-money laundering not because they understand and support its rationale, but simply because they are required to do it, initially by the law and now also by their regulator. (…) For these, anti-money laundering is all pain and no gain. (…) Firms approaching AML in this way will do it mindlessly and insensitively, producing limited value and alienating their management, staff and customers".

In 2004, I said our plan was to have a more targeted and 'value-for-money' approach, with a strong focus on consumers. Let me be more specific. To achieve these aims, we notably said we would:

  • explain more fully what we mean by the risk-based approach;
  • 'strive to achieve a sensible, proportionate, fit-for-purpose UK and EU approach to identification;
  • support the JMLSG in producing revised Guidance Notes that help all sectors not just to comply with their obligations but to manage their money laundering risks professionally and proportionately;
  • ensure that our guidance and training for our supervisors reflects the risk-based approach so that we deliver on the ground what we say in a speech'.
  • 'work with government, NCIS, the Assets Recovery Agency, the industry and consumer bodies to put in place and maintain a continuing communication strategy on anti-money laundering and on threats to consumers."

I was also audacious enough to make some comments about what I saw as the characteristics of an effective UK Anti-money laundering regime. They were:

  • 'A clear UK anti-money laundering strategy; roles and responsibilities for delivering that strategy are well-understood; and resources are delivered to implement the strategy'.
  • 'We have an efficient SAR regime that delivers value to law enforcement and is used to target the efforts of reporting institutions'.
  • 'Law enforcement has adequate resources, and is organised, to do justice to SARs and to provide good, continuing feedback to NCIS and the industry'.
  • 'The legal framework, from the EU down, is risk-based and proportionate and allows for the dynamic evolution of anti-money laundering techniques over time'.

HM Treasury's AML/CFT strategy "the financial challenge to crime and terrorism" published in February this year addresses the first of these characteristics.

The Lander review of the SAR's regime published in 2006 addresses the second and third,

On the fourth, risk-based approach, I said in 2004 quite a lot about the theory of the risk-based approach but few of us knew what it really meant. It is interesting to note how things have changed.

  • A Google search, UK sources only, on the phrase "risk based approach" produced 20,300 entries in 2004, the same search today produced about 2.6 million entries!
  • In 2004 the EU and UK AML legislation wasn't risk-based and nor was the industry guidance. Now we have an explicit requirement to be risk-based in the 3rd Money-Laundering Directive, to be transposed into UK law and we have risk-based Sectoral Guidance published by the JMLSG.
  • Last Friday, the FATF itself agreed guidance for governments, regulators and the private financial sector on how to implement a risk based approach.

Let me talk a little about the issue of Identification.

Do any of you remember the problems we were having with the identification and verification regime in 2004? I do, I got many, many MP letters about it, and lots of negative press coverage. That frenzy of objections has gone away. Most people opening an account in the financial sector need only provide one piece of photo ID, and seem happy to do so. I would like to think that this has come about because of the work, led by the FSA, on 'Defusing the ID issue', in 2004 and 2005, which contributed its findings to the JMLSG to inform its re-write of the Guidance. Of Course, some of that angst we had in the financial sector has passed over to those of us who want to open a relationship with a DNFBP (a FATF acronym for Designated Non-financial Business and Professionals so that would be a lawyer, accountant or estate agent to you and me!)..

Back to topBack to top

Not only this but:

  • We have retrained FSA supervisors in the new AML approach, using trainers from the Industry, to explain the Government approved Industry Guidance to FSA supervisors.
  • There is improved inter-stakeholders contact both via formal means such as the Money-Laundering Advisory Committee (MLAC) and the SARs regime committee, but also through more informal forums such as today's Conference, that enable all of us to communicate and run projects of similar interest/concerns on financial crime issues.
  • We've worked with various stakeholders to ensure that consumers are adequately informed of the threats, through the production of leaflets, notably on anti-money laundering identity checks and identity theft. There is a lot more we could all do in this area.

And what about, fraud.

I made clear in my speech in October 2004 that our new policy, Fighting Fraud in Partnership, was based on the need for a 'collective effort to improve the fight against fraud in the financial services sector, and for the FSA to make a distinctive, important contribution to that effort'. Fraud was put as an investment priority by the FSA, and collaboration sought and required from all the partners engaged in fighting fraud. I believed a shared vision would help make us all push in the same direction, and help us learn from one another.

I also called for the Government to accord fraud a higher priority and develop a strategic approach to tackle it, so we could build better fraud defences. In order to do so, I emphasised we needed to have a clearer picture of the scale of fraud and of its main risks, as well as better data-sharing on fraud, that should be led by trade associatons.

We still don’t have a clear understanding of the true size of the problem, but the Government's Fraud Review set out the problems involved in tackling fraud cogently, and we support its main recommendations, and particularly the creation of the National Fraud Strategic Authority (NFSA), the National Reporting Fraud Centre and proposals for plea bargaining.

The development and implementation of the Fraud strategy is taking shape, with the support of engaged trade associations and of the industry and a broad range of government departments, and the working group on measurement, being led by Jim Gee of KPMG may assist in qualifying the problem, and our joint impact on it As for the trade bodies, we have seen the publication of the Fraud Manager's handbook by the British Bankers Association; the creation of the Insurance Fraud Bureau by the ABI to share information about false claims between insurers and enhanced data sharing opportunities via CIFAS, including a still underused staff fraud database, and the usual innovative ideas from the Finance and Leasing Association, from which we will miss Martin Hall.

We have also seen a considerable injection of funds into the the City of London Police, allowing co-location of the economic crime unit with the SFO in new premises which opened recently, and increased efforts by the Met, not least Operation Sterling.

So, all in all, we can say we have definitely raised our game in the UK.

Back to topBack to top

Assessing performance

Now for those of you who look at the FSA and wonder Quis custodiet ipsos custodies - who will watch the watchmen?, I have an answer, or rather two. The National Audit Office and The Financial Action task Force. The FSA's financial crime work has been audited (or subject to a supervisory visit if you want) twice in 2006. First by the NAO, which reported in April 2007, and then by the FATF, which published its findings today.

The NAO report, like any ARROW letter, makes a number of points about what can be improved, and also makes a number of comments about where the FSA has done well. I was particularly pleased with:

"The FSA has increasingly encouraged financial institutions to adopt a risk based approach, particularly in respect of their money laundering controls, so that institutions do not impose unnecessary identity checks on low risk consumers. The FSA's new approach has been widely applauded by Financial Institutions"; and

"The FSA has recorded some important achievements in working with other UK agencies responsible for financial crime reduction in the UK. In particular it has acted as a catalyst to lead a wide range of organisations to adopt a common approach to financial crime issues"

But they also set out some areas for improvement, notably in;

"Keeping supervisory staff fully informed of….. Financial crime issues"; and

"Examining the basis of risk assessments to determine if ……greater weight should be given to [financial crime issues in] smaller firms than at present"

What about the FATF's evaluation?. Well again, like an ARROW assessment this contains good things, and some areas for improvement. In this case, however, we are being assessed against a global standard, using detailed criteria common to all evaluations worldwide.

The evaluation covered the whole UK AML/CFT regime, and I am pleased to say that the results are broadly positive for the UK including supporting our risk based approach to regulation and supervision. The FSA is already tackling some of the relevant recommendations made in the report as part of its increased financial crime work programme. The evaluation also observes that many of the technical concerns raised by the FATF assessors will be addressed when the 3rd EU Money Laundering Directive is brought in to effect in December 2007. In June, the UK got 36 positive assessment scores out of a possible 49, but had it been December we judged that this would have risen 46 out of 49, the highest so far.

There are some seemingly perverse results, for example, the UK is scored as Non Compliant for the regime we have in place for Politically Exposed Persons, despite being able to demonstrate the the regime is effective, with over 2800 suspicious activity reports a year, a dedicated PEPs unit in SOCA's Financial Intelligence Unit and 19 active PEP investigations being undertaken at present by law enforcement. This is due to the need for the PEP related obligations to be in Law or Regulation under the detailed criteria, and will be corrected by the 3rd directive. This peverse effect can be seen elsewhere, in the scoring of the recommendations on correspondent banking, transaction monitoring and shell banks.

Back to topBack to top

Looking forward

As many of you will be aware, we set up in January our new Financial Crime & Intelligence Division so that we could provide a centre of expertise within the FSA on financial crime issues. As part of our new Financial Crime and Intelligence Division, we have created an operations team to give us the capacity to undertake more thematic and case work on financial crime issues, including those where firms or law enforcement agencies may alert us to an urgent problem.

This is likely to mean us visiting more firms and more often to discuss financial crime issues, as is part of raising the FSA's - and the UK's – game in the fight against financial crime. For the major pieces of thematic work we currently have in progress, on personal data security and the implementation of the JMLSG Guidance, we are already planning to visit far more, and a wider range of, firms than we have for previous financial crime projects. And for the first time we are including some of the smaller firms we regulate in these general thematic samples.

I want to stress here how important the result of our thematic work is. As with our earlier financial crime thematic work, and indeed our thematic work in other areas, we will provide feedback to the firms directly involved, provide guidance to our supervisors, and publish the overall conclusions of our work. We publish reports of this sort to raise awareness in the industry of current risks and good industry practice in mitigating them.

We very much expect firms to take advantage of these reports to assess their anti-financial crime systems and controls and raise their standards where necessary. Should we find in subsequent supervisory work that a firm has significant weaknesses in an area covered by our financial work thematic work, and has failed to take our findings into account, we would be looking closely at the circumstances around it, and that would inevitably have a bearing on how the FSA decided to deal with the firm.

To give you a flavour of our current work in this area, I am pleased to announce that we have today published our report on Anti-Money Laundering Controls in Private Banking, and I encourage you to have a look at our findings and advice on good practice. Overall we found in our review that Private Banks acknowledged the relatively high inherent money laundering risk within many of their business activities and recognised the need to develop and implement strong AML systems and controls to address this. However, we are raising some specific issues that would merit further attention in the areas of risk identification, oversight and control, Customer Due Diligence and the role of customer relationship managers in mitigating money laundering risk.

As I said at the beginning, these reports are meant to be read by the industry… and used by the industry, not only by the fraudsters who want to know where firms' weaknesses are!

Smaller Firms

I also want to announce a new approach to assessing and mitigating the risk of Financial Crime in smaller firms. We have already been carrying out thematic work on financial crime in smaller firms in Retail Small Firms Division and in Wholesale Firms Division.: there is an established approach in place for this. However, going forward, both these Divisions will also work more closely with the newly created Financial Crime and Intelligence Division, to carry out more statistically robust sampling, which will mean that more firms will be examined more frequently to assess their efforts in reducing the likelihood of being used for financial crime.

Back to topBack to top

Information Security

You will recall that both John Tiner and I spoke at the FSA's Financial Crime Conference earlier this year about the high risk of financial crime and identity fraud arising from compromises of customer data held both within the financial services sector and outside it.

In what is now a mature and well developed market, full details for a UK credit card are advertised for sale for between $2-$12 - I think you'll agree that's an entry level price, some might even say a loss leader! . Because of the well-organised, secretive and international nature of this criminal activity, it is very difficult for law enforcement agencies to bring these fraudsters to justice.

From the beginning of the year until mid-June, the Financial Crime Operations Team had investigated 76 cases of crystallised financial crime risk in firms. Of these, 22 cases - or just under a third, - related to the compromise of customer data. This is therefore the most common type of financial crime incident that we have been dealing with.

Worryingly, nearly all of these data compromises were due to carelessness breaches of procedures or poor controls - they were not due to sophisticated hi-tech attacks by organised criminal gangs. Data compromises often affect a limited number of customers, but the sensitivity of the lost data puts those consumers at a very high risk of financial crime and identity fraud.

So let's be clear about this. Information security risk cannot be mitigated by hi-tech means, such as encryption of laptops, alone - though these are of course important. Protecting customer data is just as much about good vetting practices and clear and appropriate policies and procedures communicated to staff in a sensible way. Asking your staff simply to sign off annually that they have read your policies and procedures is probably not enough - unless you really think all your staff read your firm's staff handbook from front to back and put it in to practice with no other incentives of course!

Another cause for concern is the way in which we have seen many firms deal with data security incidents. The general trend we see is that they appear more concerned about the possibility of adverse publicity and reputational damage to themselves than the risk to their customers of financial crime or identity fraud.

If many firms are quick to tighten up fraud monitoring on their own accounts (and this is, of course, quite right), few are willing to tell customers that their data has been compromised or provide them with advice on how they can protect themselves from the wider risks of identity fraud. However, there are exceptions. Some firms have shown the well-organised response to information security breaches that we would expect. This has included, for example, the firm providing consumers with educational literature and paying for affected consumers to obtain their credit files or take out CIFAS Protective Registration.

We are committed to reducing the risk of customer data compromise. Not only is this a priority for supervision teams, but the FC Operations Team has recently started a major piece of thematic work looking at firms' controls in this area. A comprehensive report, including good practice guidance and areas for improvement will follow in the first quarter of 2008, with updates as we proceed provided in our Financial Crime Newsletter.

Finally, let me say that as a principle based regulator, we strongly welcome industry initiatives that help achieve our objective to reduce the capacity of firms to be used for a purpose connected with financial crime. Let me provide you with a recent example to close this speech.

Recently, the Wolfsberg Group have presented proposals to a number of regulators about how the international payments system can be made more transparent, to make it easier for banks and, if necessary, the authorities, to detect how inter-bank payments can be used as a conduit for funds from undesirable sources, or for money which will be used for nefarious ends.

Amongst other things the Wolfsberg Group have proposed some "messaging practice standards" that they believe should be observed in relation to payment messages originated or processed by a financial institution. These are;

  • "The financial institution should not omit, delete or alter information in payment messages or orders for the inappropriate purpose of avoiding detection of that information by any other financial institution in the payment process".
  • "The financial institution should not use any particular message type for the inappropriate purpose of avoiding detection of information by any other financial institution in the payment process. Thus, for example, a “cover payment” is appropriate unless used with the intent or objective of preventing another financial institution from being aware of information about the parties to the payment."
  • "Subject to any applicable law, the financial institution should cooperate as fully as practicable with other financial institutions in the payment process when they appropriately request information about the parties involved."

    Source: Presentation Wolfsberg Forum May 2007

FSA welcomes the public/private sector dialogue over this issue initiated by the members of the industry in the Wolfsberg Group and the Clearing House Association.

It seems to us at the FSA that the Wolfsberg "messaging practice standards" represent the behaviours that we, as a supervisor, expect banks to operate to ensure the transparency of the payments system.

We also agree that the vulnerabilities in the so called "cover payments" system need to be addressed and welcome any proposals from the industry to increase the transparency of international and domestic payments. We consider practitioners to be best placed to design the technical solutions to meet this challenge. But we also believe that the issues raised by this industry initiative also need further discussion by supervisory authorities to see how they might inform regulatory and supervisory policies and priorities,

We welcome this kind of valuable industry initiative. It is by moving in the same direction together that our framework to tackle money-laundering, terrorist-financing or fraud will gain strength and cohesion. As I have highlighted today, we've made real progress since 2004. But the criminals are also moving as fast, probably faster, than us.

So not only do we need to be aware of the threats, but we also need to constantly raise our game, and share our knowledge, if we want to stay in the game, and have an impact in the fight against crime.

Many thanks for your attention.

Back to topBack to top

More Speeches: