FCTR 9.3 Consolidated examples of good and poor practice

FCTR 9.3.1

1Governance and management information

Examples of good practice

Examples of poor practice

Clear, documented responsibility for anti-bribery and corruption apportioned to either a single senior manager or a committee with appropriate Terms of Reference and senior management membership, reporting ultimately to the Board.

Failing to allocate official responsibility for anti-bribery and corruption to a single senior manager or appropriately formed committee.

Good Board-level and senior management understanding of the bribery and corruption risks faced by the firm, the materiality to their business and how to apply a risk-based approach to anti- bribery and corruption work.

A lack of awareness and/or engagement in anti-bribery and corruption at senior management or Board level.

Swift and effective senior management-led response to significant bribery and corruption events, which highlight potential areas for improvement in systems and controls.

Little or no MI sent to the Board about higher risk third party relationships or payments.

Regular MI to the Board and other relevant senior management forums.

Failing to include details of wider issues, such as new legislation or regulatory developments in MI.

MI includes information about third parties including (but not limited to) new third party accounts, their risk classification, higher risk third party payments for the preceding period, changes to third-party bank account details and unusually high commission paid to third parties.

IT systems unable to produce the necessary MI.

MI submitted to the Board ensures they are adequately informed of any external developments relevant to bribery and corruption.

Actions taken or proposed in response to issues highlighted by MI are minuted and acted on appropriately.

FCTR 9.3.2

1Risk assessment and responses to significant bribery and corruption events

Examples of good practice

Examples of poor practice

Regular assessments of bribery and corruption risks with a specific senior person responsible for ensuring this is done, taking into account the country and class of business involved as well as other relevant factors.

Failing to consider the bribery and corruption risks posed by third parties used to win business.

More robust due diligence on and monitoring of higher risk third-party relationships.

Failing to allocate formal responsibility for anti-bribery and corruption risk assessments.

Thorough reviews and gap analyses of systems and controls against relevant external events, with strong senior management involvement or sponsorship.

Little or no MI sent to the Board about higher risk third party relationships or payments.

Ensuring review teams have sufficient knowledge of relevant issues and supplementing this with external expertise where necessary.

Failing to respond to external events which may draw attention to weaknesses in systems and controls.

Establishing clear plans to implement improvements arising from reviews, including updating policies, procedures and staff training.

Taking too long to implement changes to systems and controls after analysing external events.

AdeFCG Annex 1quate and prompt reporting to SOCA (Serious Organised Crime Agency. See for common terms) and use of any inappropriate payments identified during business practice review.

Failure to bolster insufficient in-house knowledge or resource with external expertise.

Failure to report inappropriate payments to SOCA and a lack of openness in dealing with us concerning any material issues identified.

FCTR 9.3.3

1Due diligence on third-party relationships

Examples of good practice

Examples of poor practice

Establishing and documenting policies with a clear definition of a ‘third party’ and the due diligence required when establishing and reviewing third-party relationships.

Failing to carry out or document due diligence on third-party relationships.

More robust due diligence on third parties which pose the greatest risk of bribery and corruption, including a detailed understanding of the business case for using them.

Relying heavily on the informal ‘market view’ of the integrity of third parties as due diligence.

Having a clear understanding of the roles clients, reinsurers, solicitors and loss adjusters play in transactions to ensure they are not carrying out higher risk activities.

Relying on the fact that third-party relationships are longstanding when no due diligence has ever been carried out.

Taking reasonable steps to verify the information provided by third parties during the due diligence process.

Failing to respond to external events which may draw attention to weaknesses in systems and controls.

Using third party forms which ask relevant questions and clearly state which fields are mandatory.

Asking third parties to fill in account opening forms which are not relevant to them (e.g. individuals filling in forms aimed at corporate entities).

Having third party account opening forms reviewed and approved by compliance, risk or committees involving these areas.

Accepting vague explanations of the business case for using third parties.

Using commercially-available intelligence tools, databases and/or other research techniques such as internet search engines to check third-party declarations about connections to public officials, clients or the assured.

Approvers of third-party relationships working within the broking department or being too close to it to provide adequate challenge.

Routinely informing all parties involved in the insurance transaction about the involvement of third parties being paid commission.

Accepting instructions from third parties to pay commission to other individuals or entities which have not been subject to due diligence.

Ensuring current third-party due diligence standards are appropriate when business is acquired that is higher risk than existing business.

Assuming that third-party relationships acquired from other firms have been subject to adequate due diligence.

Considering the level of bribery and corruption risk posed by a third party when agreeing the level of commission.

Paying high levels of commission to third parties used to obtain or retain higher risk business, especially if their only role is to introduce the business.

Setting commission limits or guidelines which take into account risk factors related to the role of the third party, the country involved and the class of business.

Receiving bank details from third parties via informal channels such as email, particularly if email addresses are from webmail (e.g. Hotmail) accounts or do not appear to be obviously connected to the third party.

Paying commission to third parties on a one-off fee basis where their role is pure introduction.

Leaving redundant third-party accounts ‘live’ on the accounting systems because third-party relationships have not been regularly reviewed.

Taking reasonable steps to ensure that bank accounts used by third parties to receive payments are, in fact, controlled by the third party for which the payment is meant. For example, broker firms might wish to see the third party’s bank statement or have the third party write them a low value cheque.

Being unable to produce a list of approved third parties, associated due diligence and details of payments made to them.

Higher or extra levels of approval for high risk third-party relationships.

Regularly reviewing third-party relationships to identify the nature and risk profile of third-party relationships.

Maintaining accurate central records of approved third parties, the due diligence conducted on the relationship and evidence of periodic reviews.

FCTR 9.3.4

1Payment controls

Examples of good practice

Examples of poor practice

Ensuring adequate due diligence and approval of third-party relationships before payments are made to the third party.

Failing to check whether third parties to whom payments are due have been subject to appropriate due diligence and approval.

Risk-based approval procedures for payments and a clear understanding of why payments are made.

The inability to produce regular third-party payment schedules for review.

Checking third-party payments individually prior to approval, to ensure consistency with the business case for that account.

Failing to check thoroughly the nature, reasonableness and appropriateness of gifts and hospitality.

Regular and thorough monitoring of third-party payments to check, for example, whether a payment is unusual in the context of previous similar payments.

No absolute limits on different types of expenditure, combined with inadequate scrutiny during the approvals process.

A healthily sceptical approach to approving third-party payments.

The giving or receipt of cash gifts.

Adequate due diligence on new suppliers being added to the Accounts Payable system.

Clear limits on staff expenditure, which are fully documented, communicated to staff and enforced.

Limiting third-party payments from Accounts Payable to reimbursements of genuine business-related costs or reasonable entertainment.

Ensuring the reasons for third-party payments via Accounts Payable are clearly documented and appropriately approved.

The facility to produce accurate MI to facilitate effective payment monitoring.

FCTR 9.3.5

1Staff recruitment and vetting

Examples of good practice

Examples of poor practice

Vetting staff on a risk-based approach, taking into account financial crime risk.

Relying entirely on an individual’s market reputation or market gossip as the basis for recruiting staff.

Enhanced vetting – including checks of credit records, criminal records, financial sanctions lists, commercially available intelligence databases and the CIFAS Staff Fraud Database – for staff in roles with higher bribery and corruption risk.

Failing to check thoroughly the nature, reasonableness and appropriateness of gifts and hospitality.

A risk-based approach to dealing with adverse information raised by vetting checks, taking into account its seriousness and relevance in the context of the individual’s role or proposed role.

Failing to consider on a continuing basis whether staff in higher risk positions are becoming vulnerable to committing fraud or being coerced by criminals.

Where employment agencies are used to recruit staff in higher risk positions, having a clear understanding of the checks they carry out on prospective staff.

Relying on contracts with employment agencies covering staff vetting standards without checking periodically that the agency is adhering to them.

Conducting periodic checks to ensure that agencies are complying with agreed vetting standards.

Temporary or contract staff receiving less rigorous vetting than permanently employed colleagues carrying out similar roles.

A formal process for identifying changes in existing employees’ financial soundness which might make them more vulnerable to becoming involved in, or committing, corrupt practices.

FCTR 9.3.6

1Training and awareness

Examples of good practice

Examples of poor practice

Providing good quality, standard training on anti-bribery and corruption for all staff.

Failing to provide training on anti-bribery and corruption, especially to staff in higher risk positions.

Additional anti-bribery and corruption training for staff in higher risk positions.

Training staff on legislative and regulatory requirements but failing to provide practical examples of how to comply with them.

Ensuring staff responsible for training others have adequate training themselves.

Failing to ensure anti-bribery and corruption policies and procedures are easily accessible to staff.

Ensuring training covers practical examples of risk and how to comply with policies.

Neglecting the need for appropriate staff training in the belief that robust payment controls are sufficient to combat anti-bribery and corruption.

Testing staff understanding and using the results to assess individual training needs and the overall quality of the training.

Staff records setting out what training was completed and when.

Providing refresher training and ensuring it is kept up to date.

FCTR 9.3.7

1Risk arising from remuneration structures

Examples of good practice

Examples of poor practice

Assessing whether remuneration structures give rise to increased risk of bribery and corruption.

Bonus structures for staff in higher risk positions which are directly linked (e.g. by a formula) solely to the amount of income or profit they produce, particularly when bonuses form a major part, or the majority, of total remuneration.

Determining individual bonus awards on the basis of several factors, including a good standard of compliance, not just the amount of income generated.

Deferral and clawback provisions for bonuses paid to staff in higher risk positions.

FCTR 9.3.8

1Incident reporting

Examples of good practice

Examples of poor practice

Clear procedures for whistleblowing and reporting suspicions, and communicating these to staff.

Failing to report suspicious activity relating to bribery and corruption.

Appointing a senior manager to oversee the whistleblowing process and act as a point of contact if an individual has concerns about their line management.

No clear internal procedure for whistleblowing or reporting suspicions.

Respect for the confidentiality of workers who raise concerns.

No alternative reporting routes for staff wishing to make a whistleblowing disclosure about their line management or senior managers.

Internal and external suspicious activity reporting procedures in line with the Joint Money Laundering Steering Group guidance.

A lack of training and awareness in relation to whistleblowing the reporting of suspicious activity.

Keeping records or copies of internal suspicion reports which are not forwarded as SARs for future reference and possible trend analysis.

Financial crime training covers whistleblowing procedures and how to report suspicious activity.

FCTR 9.3.9

1The role of compliance and internal audit

Examples of good practice

Examples of poor practice

Compliance and internal audit staff receiving specialist training to achieve a very good knowledge of bribery and corruption risks.

Failing to carry out compliance or internal audit work on anti-bribery and corruption.

Effective compliance monitoring and internal audit reviews which challenge not only whether processes to mitigate bribery and corruption have been followed but also the effectiveness of the processes themselves.

Compliance, in effect, signing off their own work, by approving new third party accounts and carrying out compliance monitoring on the same accounts.

Independent checking of compliance’s operational role in approving third party relationships and accounts, where relevant.

Compliance and internal audit not recognising or acting on the need for a risk-based approach.

Routine compliance and/or internal audit checks of higher risk third party payments to ensure there is appropriate supporting documentation and adequate justification to pay.