SUP 16 Annex 42B Guidance notes for completion of the Annual Financial Crime Report

G

1The form in SUP 16 Annex 42AR should only be completed by firms and electronic money institutions subject to the reporting requirements in SUP 16.23.4R and SUP 16.15.5AD of the FCA Handbook.

General Notes

This data item is reported on a single unit basis and in integers, except where a full-time equivalent (FTE) figure is requested. Where an FTE figure is requested, this should be reported to two decimal places where available. If the figure to be reported is a whole number, this should be reported as [n].00.

For the purposes of this data item and guidance notes, any references to firm or firms should be read as also applying to electronic money institutions.

This return allows firms to report for a specified group of firms in a single Annual Financial Crime Report. Where a report is filed for a group of firms, the reported information should be the aggregate data for those firms. Firms should note that this is only available where all the firms included are subject to the requirement (i.e. firms that would not be subject to the requirement on a solo entity basis, based on the application provision in SUP 16.23.1R should not be included).

Firms subject to the requirement and which have a different accounting reference date from the firm submitting the Annual Financial Crime Report on behalf of a group should have their firm reference numbers (FRNs) included in the group report list. They will then need to submit a nil return for the entity via the appropriate systems accessible from the FCA website.

For the purposes of completing this return, references to ‘customer’ or ‘client’ refer to customer or client relationships as defined in the FCA Handbook.

We will use the data we collect through this data item to assess the nature of financial crime risks within the financial services sector. Section 5 of this return is designed to allow the FCA to track the industry’s perception of the most prevalent fraud risks. A firm may not be specifically affected by the fraud typologies it considers most prevalent across the industry.

Data Elements

Group reporting

1A

Does the data in this report cover more than one authorised firm?

If the report is being submitted on behalf of a number of firms, firms should answer ‘yes’ to this question.

2A

If yes, list the FRNs of all additional firms included in this report.

Where a report is submitted on behalf of a number of firms, the submitting firm should report all of the FRNs of the firms included.

Firms included in this question will need to report a separate nil return for the entity via the appropriate systems accessible from the FCA website.

Section 1: Operating jurisdictions

Please list:

3A

The jurisdictions within which the firm operates as at the end of the reporting period.

Select from the list of country codes (in ISO 3166 format), the jurisdictions within which the firm is operating as at the end of the reporting period.

Only those jurisdictions active as at the end of the reporting period should be reported; if a firm terminated operations within a jurisdiction during the reporting period, this jurisdiction does not need to be reported.

‘Operates’ for the purposes of this form is defined as where the firm carries on its business or has a physical presence through a legal entity.

For avoidance of doubt, this definition includes those jurisdictions in which the firm has representative offices. It also includes any jurisdictions where the firm carries on business using a services passport or an establishment passport.

3B

Those jurisdictions assessed and considered high-risk by the firm.

Select from the list of country codes (in ISO 3166 format), the jurisdictions assessed and considered by the firm to be high-risk. Firms should report any jurisdictions considered high-risk in which they operate and any additional jurisdictions assessed as high-risk by the firm within the previous 2 years, e.g. as part of a Country Risk Assessment.

A firm is not required to report those jurisdictions in which it does not operate or which it has not assessed for risk.

This question should be answered with regard to the firm’s own assessment of risk, which may or may not include the use of available public indices.

Section 2: Customer information

Figures in this section should be for the number of customer or client relationships as at the end of the reporting period. It should include all accounts that are open, including dormant and inactive accounts. This would also include all current accounts, CTF bank accounts, client bank accounts and client transaction accounts. It excludes former customers or clients.

Where the figure requested is ‘new in the reporting period’, a firm should report new (not pre-existing) customer or client relationships initiated within the reporting period. This should not include existing customers taking on new products. A firm should only provide figures in this section for those areas of its business subject to the Money Laundering Regulations.

For non-financial institutions which may carry out regulated business (e.g. consumer credit), the firm should not include customers which are outside its regulated activities.

If any part of the firm’s business is subject to the Money Laundering Regulations, please provide the total number of the firm’s relationships with:

4A&B

Politically Exposed Persons (PEPs)

A definition of ‘Politically Exposed Person’ can be found in Regulation 14(5) of the Money Laundering Regulations. This could be either a customer or client relationship with an individual, or with a corporate entity which the firm has classified as being a PEP-connected customer due to the existence of PEP shareholders, PEP ultimate beneficial owners or PEP Board Directors, as per the firm’s own internal policy.

Firms should report the number of customer or client relationships, either individual or corporate, which they have classified as being PEP, or PEP-connected relationships. They should not report the total number of PEPs associated with a particular corporate customer or client.

Firms should not reclassify customers or clients for the purposes of completing this return. If firms do not classify or identify PEP-connected corporate entities as PEP customers or clients within their current policies, there is similarly no requirement to report.

If a firm uses its own alternative, wider, PEP definition (e.g. including domestic PEPs or retention periods longer than a year), it should submit figures using its own definition.

The figure provided should include existing customer or client relationships that became PEPs in the reporting period.

Where a PEP has multiple relationships with the firm, that PEP should only be reported once in each of questions 4A and 4B.

5A&B

Non-EEA correspondent banks

This refers to situations where a credit institution has a correspondent banking relationship with a respondent institution from a non-EEA state. These terms are intended as set out in Regulation 14(3) of the Money Laundering Regulations. Non-credit institutions who do not hold these types of relationships should simply record zero in their response.

6A&B

All other high-risk customers

This refers to a customer or client categorised as being of high-risk for the purposes of compliance with Regulation 14 of the Money Laundering Regulations, and therefore subject to Enhanced Customer Due Diligence measures, but not otherwise captured in response to question 4 or 5.

It does not include customers or clients meeting the definition under Regulation 14(2) (customers not physically present for identification purposes) except where they are deemed high-risk for other reasons.

For the firm’s business subject to the Money Laundering Regulations:

7-16

Please provide the number of the firm’s customer relationships located in the following geographical areas:

The location for customer or client relationships should be determined by the location in which the customer or client is based. Where a customer or client has multiple addresses, the location reported should be the primary correspondence address as determined by the firm.

Where the relationship is with a trust, the firm should report the location as the location of the trust.

Except for the United Kingdom and EEA, for the purposes of this question geographical areas should be determined with reference to SUP 16 Annex 42CG.

17

Please provide the number of the firm’s customers linked to those jurisdictions considered by the firm to be high-risk:

The firm should provide the number of customers judged by the firm to have links to jurisdictions identified by it as high-risk in question 3B.

Links to a high-risk jurisdiction, for the purposes of this question, means customers or clients that are resident/domiciled/incorporated in a jurisdiction identified as high-risk by the firm.

18A&B

Please provide the number of customer relationships refused or exited for financial crime reasons during the reporting period:

The number of ‘refused’ relationships refers to the number of customers or clients that the firm did not take on, where financial crime was the principal driver behind the decision.

It would not include customers or clients whose application did not proceed because, for example, they lacked appropriate documentary evidence of identity or who failed Immigration Act 2014 checks. It would include customers or clients whose application was escalated to management (due to financial crime concerns) for a decision on whether to proceed, and was rejected.

‘Relationships exited’ covers any customers or clients with whom the firm ceased to do business where financial crime was the principal driver behind the decision. This covers criminal behaviour by the customer or client where such behaviour has a financial element, e.g. benefits fraud.

Section 3: Compliance information

Please provide the number of suspicious activity reports (SARs) under Part 7 of the Proceeds of Crime Act 2002 (POCA):

19A

Submitted internally to the nominated officer/MLRO, within the firm, as at the end of the reporting period.

This includes reports filed internally from staff to the MLRO that relate to the staff member’s concerns, suspicions or knowledge of money laundering. The reported figure should include SARs generated by the AML/compliance function and system-generated SARs. These reports will be considered by the MLRO in order to decide whether a formal submission to the authorities is justified.

The figure should not include (either for staff-generated or system-generated SARs) any reports filtered out at an earlier stage.

19B

Disclosed to the National Crime Agency as at the end of the reporting period.

The number of SARs disclosed to the National Crime Agency within the reporting period, as at the end of the reporting period.

19C

The number of those SARs which were consent requests under s. 335 POCA.

The number of disclosed SARs which sought consent from the National Crime Agency within the reporting period, as at the end of the reporting period.

20

Please provide the number of SARs disclosed to the National Crime Agency under the Terrorism Act 2000 during the reporting period:

The number of SARs disclosed to the National Crime Agency under the Terrorism Act 2000 (including consent SARs) within the reporting period, as at the end of the reporting period.

21

Please provide the number of investigative court orders received as at the end of the reporting period:

This refers to production orders, disclosure orders, account monitoring orders and customer information orders as defined by the POCA, and/or the Terrorism Act 2000, received by the firm from law enforcement agencies or accredited financial investigators from other bodies as set out in an Order under section 453 of the POCA.

This would include, for example, investigative court orders relating to suspected benefits fraud.

The figure reported for this field should be the number of court orders received, regardless of the number of relationships to which these relate.

22A&B

Please provide the number of restraint orders being serviced/in effect as at the end of the reporting period and the number of new restraint orders received during the reporting period:

A ‘restraint order’ here refers to either a restraint order under section 42 of the POCA or a property freezing order under section 245A of the POCA.

The number of restraint orders being serviced should include all restraint orders which are still in effect as at the end of the reporting period.

The number of new restraint orders received should include all new restraint orders received by the firm during the reporting period, as at the end of the reporting period.

The figure reported for this field should be the number of restraint orders received, regardless of the number of relationships to which these relate.

23A&B

Please provide the number of relationships maintained with natural or corporate persons (excluding group members) which introduce business to the firm. Please also provide the number of these relationships which have been exited for financial crime reasons during the reporting period.

This question refers to individuals who, or corporate entities which, directly introduce customers or clients to the firm under a formal agency/broker agreement in return for a direct or indirect fee, commission or other monetary benefit.

If the firm has appointed representatives (ARs):

24

Please provide the number of appointed representative (AR) relationships exited due to financial crime reasons:

Firms should report the number of existing AR relationships terminated for financial crime reasons during the reporting period.

For all firms:

25

As at the end of the reporting period, please provide the total full time equivalent (FTE) of UK staff with financial crime roles:

Firms should provide an FTE figure on a reasonable endeavours basis.

For example, if the firm has 20 part time staff that work 50% of normal hours, the figure would be 10 FTE.

This field facilitates the entry of numbers to two decimal places. Integers should therefore be provided in the format [n].00.

If this report is being completed on a group basis this figure should be the FTE for the specified group.

Where this report is being completed on a single regulated entity basis and services are shared across multiple firms, firms may provide an estimate of the FTE spent on each reported entity on a best endeavours basis.

In firms where financial crime responsibilities are divided up among staff with other roles rather than managed by a dedicated function, the figure should reflect the aggregated FTE spent on financial crime activity.

The phrase ‘financial crime roles’ for the purposes of this question is intended to cover staff employed in a dedicated financial crime function (for example AML or compliance teams) who take decisions on financial crime issues. Therefore it would not cover teams or individuals responsible for collecting customer due diligence or those who submit internal suspicious activity reports.

Outsourced financial crime activities should not be included in this figure.

Of which:

26

Please provide the percentage of the FTE stated above dedicated to fraud responsibilities

Firms should provide a percentage figure on a reasonable endeavours basis. This field facilitates the entry of numbers to two decimal places. Integers should therefore be provided in the format [n].00.

If this report is being completed on a group basis this figure should be the percentage for the specified group.

Where this report is being completed on a single regulated entity basis and services are shared across multiple firms, firms may provide an estimate of the percentage spent on each reported entity on a best endeavours basis.

Section 4: Sanctions-specific information

27

Does the firm use an automated system (or systems) to conduct screening against relevant sanctions lists?

Firms should answer ‘Yes’ or ‘No’. Note there is no explicit regulatory or legal requirement for the use of automated screening tools. This question relates to automated systems for screening customers and clients only.

Relevant sanctions lists are the lists against which the firm screens its customers and clients.

28

How many TRUE sanction matches were detected during the reporting period?

The number of confirmed true sanctions alerts which matched against the firm’s customer, client or payment.

The number to be reported relates to any matches against any relevant sanctions lists and is defined as any matches reported to the relevant authorities, regardless of whether these are confirmed as true by the authority.

Relevant sanctions lists are the lists against which the firm screens its customers or clients.

29

Does the firm conduct repeat customer sanctions screening?

Firms should answer ‘Yes’ or ‘No’.

This question relates to repeat customer or client sanctions screening only.

Section 5: Fraud

30-35A-D

Please indicate the firm’s view of the top three most prevalent frauds which the FCA should be aware of and whether they are increasing, decreasing or unchanged.

NB. This question is not mandatory.

This question is designed to obtain the firm’s view on the most prevalent frauds relevant to the firm’s business and will be used by the FCA to understand whether the organisation is aware of the fraud risks identified by the broader industry.

The fraud typologies available in the dropdown list are a subset taken from the Action Fraud A-Z of fraud types and are specified below. Please refer to the Action Fraud definitions in answering this question.

The identified fraud typologies may or may not be those by which the firm has been specifically impacted, but should be those that the firm considers most prevalent as at the end of the reporting period.

Fraud typologies

419 emails and letters

Abuse of position of trust

Account takeover

Advance fee fraud

Application fraud

Asset misappropriation fraud

Bond fraud

Carbon credits fraud

Cashpoint fraud

Cheque fraud

Companies – fraudulent

Computer hacking

Credit card fraud

Debit card fraud

Expenses fraud Exploiting assets and information

Fraud recovery fraud

Hedge fund fraud

Identity fraud and identity theft

Insurance fraud

Landbanking fraud

Loan repayment fraud

Short and long firm fraud

Malware-enabled fraud

Mandate fraud

Mortgage fraud

Other (to be used where the specified typologies are not applicable). Please provide the fraud type in the free text box.

Other investment fraud

Pension liberation fraud

Phishing

Ponzi schemes

Procurement fraud

Pyramid schemes

Share sale fraud

Smishing

Vishing

Suspected perpetrators

Customer

Internal employee

Organised crime group

Other (to be used where the suspected perpetrator typologies are not applicable). Please provide the perpetrator type in the free text box.

Third party contractor

Third party professional

Third party supplier

Unknown third party

Primary Victim

Customer

Other (to be used where the suspected perpetrator is neither a customer nor a regulated firm/electronic money institution). Please provide the primary victim type in the free text box.

Regulated firm/electronic money institution (all jurisdictions).

Incidence

Decreasing

Emerging risk

Increasing

Stable