The FSA has now become two separate regulatory authorities and this site is no longer updated.
The Financial Conduct Authority can be found at and the Prudential Regulation Authority at
Archived versions of the FSA site are available at the National Archives.

What now

Email page to a friend

Print this page

Bookmark this page

Financial crime

We have compiled good and poor practices in relation to financial crime so you can compare these examples with your own credit union. Whilst they do not cover every situation, they can assist you in reviewing your current procedures.

Newsletter – February 2008


Data security

  • General
  • Physical controls
  • IT controls
  • Third-party access

Data control

  • Data retention
  • Data disposal

Data Security

  • You should carry out regular reviews of the controls they have in place to monitor the risk of data security to both the membership and the staff or volunteers engaged in running the credit union.

Examples of good practice

  • Performs checks on potential employees, takes up references, conducts credit checks, or carries out Criminal Records Bureau (CRB) checks (especially when operating collection points at schools).
  • Conducts a risk assessment of data security and thinks about the risk to the sensitive pieces of information they hold about their members.
  • Has a formal policy and written procedures for the handling of sensitive data (both paper based and electronic), with staff being trained on these procedures.

Examples of poor practice

  • Unaware of the potential for financial crime and money laundering by its own staff and no suitable controls in place.
  • Had not considered the possibility of data being used for fraud and were unaware of how they would deal with such an instance.

Physical controls

Examples of good practice

  • Offices well secured. For example, locks, alarms, CCTV and in some instances, metal shutters used.
  • A credit union operating in a room of a shared office building, made sure the room was locked even if the room would only be empty for a short while.
  • Credit unions using office premises had a clear desk policy, so no sensitive documents were left on show overnight.

All firms should have a suitable clear desk policy understood by all staff. The policy should be monitored, tested and regularly reviewed as appropriate to the business, and poor practice highlighted to senior management.

  • Staff given lockers that all personal items (e.g. mobile phone, USB sticks) had to be placed in before entering the main office. This helped reduce the risk of portable devices being used inappropriately to store customer data.

Examples of poor practice

  • Secure filing keys kept in a filing cabinet shared with other organisations.
  • Filing cabinets where members' personal information kept were not locked. Where these were locked the keys were kept in the open (often on top of the cabinets themselves) or in a key safe that was shared with other organisations.
  • Members' files kept in an open box in the middle of an office.
  • No controls were put in place by the board to reduce the risk of access to personal information for unauthorised use.
IT controls

Examples of good practice

  • Credit union thinking about different users having different access rights to the computer system, depending on their role (e.g. supervisory committee only having 'read only' access).
  • Each volunteer or staff member had their own password to the IT system. All volunteers and staff ensured their username and password were kept private.

Passwords need to be complex enough not to be easily guessed and they should not be written down. Guidance on strong passwords is available from the government-backed group Get Safe Online.

  • Laptops kept in secure cabinets, even when stored away from the main office, thus reducing the opportunity for theft or data compromise.

Examples of poor practice

  • No control maintained over whereabouts and use of laptops. It is possible for third parties to access the internet on these machines, which could lead to introduction of a virus or interrogation of a database.
Third party access

Example of good practice

  • Considering which third parties (e.g. software providers, auditors) can access customer data and how this is controlled.

Example of poor practice

  • Software providers having unlimited access to the credit union's systems and able to access the entire computer system remotely without permission.
Data Control

You should have a formal procedure for control of data which can be effectively monitored and tested on a regular basis.

Data retention

Examples of good practice

  • Computer records backed-up regularly, with the back-up held securely off site.
  • Data that was sent or taken to other locations was encrypted and or password protected.
Data disposal

Examples of good practice

  • All paper documents containing sensitive information were shredded. 
  • Where a third party was employed to shred sensitive documents this was done in front of a credit union staff member.
  • Obsolete computer equipment disposed of or passed to another organisation for disposal, with the hard drive always removed and physically destroyed.
  • Sensitive member data was never emailed out of the credit union, to avoid the chance of it being misdirected.

Examples of poor practice

  • Not given consideration as to how they would dispose of electronic information in accordance with Data Protection rules.
  • Keeping all the information held about all the members and even ex-members.

Money laundering rules state that a credit union should keep details of transactions for at least five years from the date of transaction.

Members' details should be kept for five years from the date the relationship ceases. Data Protection rules state they must be kept for a maximum of seven years.

Policies and procedures

Examples of good practice

  • Branches of multiple offices connected using secure lines.
  • Dormant accounts treated as new members when becoming active again.

Examples of poor practices

  • A book of pre-signed cheques kept to pay members.

This is a big risk and if you are doing this you should think of a different process for signing cheques to minimise the risk of financial crime in this area.

  • Members of staff able to process a whole transaction from start to finish (from creating a member through to them taking out a loan and making share deposits).

Page last updated: 04/04/13