Jonathan MarshPartnerBerwin Leighton PaisnerAdelaide HouseLondon BridgeLondon EC4R 9HATel : 020 7760 1000Fax : 020 7760 1111

Fraud Risk Management:The FSA’s Expectations

Overview

Where is the FSA coming from?

What are the FSA’s expectations?

Dealing with the aftermath

The FSA’s regulatory objectives – s.2 FSMA

Market confidence

Public awareness

Consumer protection

Reduction of financial crime

The reduction of financial crime objective – s.6 FSMA

Reducing the extent to which regulated persons and businesses in breach of the general prohibition can be used for a purpose connected with financial crime

Financial crime is any offence involving:– Fraud or dishonesty– Market abuse– Money laundering

The reduction of financial crime objective – s.6 FSMA

Being aware of the risk of their businesses being used in connection with the commission of financial crime

Taking appropriate measures (in relation to their administration and employment practices, the conduct of transactions by them and otherwise) to prevent financial crime, facilitate its detection and monitor its incidence

Devoting adequate resources to prevention, detection and monitoring

The FSA must, in particular, have regard to the desirability of regulated persons:

An increased focus

October 2004: Philip Robinson speech – the FSA’s new approach to fraud – fighting fraud in partnership

February 2006: Firm’s High Level Management of Fraud Risk

March 2006: Capita Financial Administrators Limited

Fighting fraud in partnership: key messages

strong anti-fraud culture led from the top

clear allocation of responsibility for fraud risk management

staff training

KYC procedures

capture and use of management informationon fraud

The FSA will pay “more attention to firm’s arrangements for managing their fraud risks”

Firm’s High Level Management of Fraud Risk – Roles, Responsibilities and Resources

High level sponsorship of fraud management at executive level

Boards/board committees receive fraud reports but not expected to have direct involvement in formulation and monitoring of anti-fraud initiatives

Development and monitoring of fraud strategies typically the responsibility of high-level management committees e.g. risk committee or fraud “steering groups”

Approval of anti-fraud strategies and plans was sometimes informal and director level accountability for delivery of strategies and plans was unclear

Firm’s High Level Management of Fraud Risk – Roles, Responsibilities and Resources

High risk organisation (e.g. retail banks, insurers) – generally well defined anti-fraud roles and responsibilities

Lower risk organisations (e.g. investment banks, asset managers) – reliance on control procedures not specifically labelled as anti-fraud measures

The FSA’s view: without formal, integrated anti-fraud responsibilities and structures, anti-fraud initiatives may be difficult to sustain on an ongoing basis

Favourable comment on a “hub and spoke” model with a central team coordinating anti-fraud activity and dissemination of best practice

Firm’s High Level Management of Fraud Risk – Fraud Data and Reporting

Accurate and detailed fraud data and analysis necessary to assess where and why there is a fraud risk

Systems and controls should be capable of detecting fraud risk at an early stage

Role of trade associations in collecting and sharing fraud related data

Firm’s High Level Management of Fraud Risk – Risk Assessment and Risk Appetite

Generally fraud risk was reported and reviewed within operational risk management reporting channels

Lack of formal fraud risk assessment processes beyond those required for operational risk purposes

Firms need to assess the fraud risk that they are exposed to (e.g. mispricing in the derivatives sector) and ensure that appropriate controls are in place to mitigate this risk

Allocation of anti fraud resources was generally not driven by a clear cost benefit or risk appetite analysis

Firm’s High Level Management of Fraud Risk – Business Engagement, Systems and Controls

Investment in systems and controls and a focus on robustanti-fraud operational processes is key to risk mitigation

Fraud threats are dynamic and the ability to meet emerging fraud threats depends on good analytics in a firm’s anti-fraud operations

Focused management of internal (staff) fraud risk– Enhanced vetting

– High profile arrests

– Communication and awareness

Focused management of fraud risk in product design – fraud risk identification should take place at an early stage

Firm’s High Level Management of Fraud Risk – Recruitment

Insider fraud (coercion, collusion, infiltration or employee’s own initiatives) considered to be one of the most serious fraud threats faced by financial institutionsEnhanced vetting procedures e.g. use of specialist agencies to conduct pre-employment screening with varying levels of screening depending on seniorityVetting key suppliers and insisting on agreed standards of employee screening which will be checked by random, unannounced visitsInsider profiling – working with the police to compare new recruits against insider profiles

Firm’s High Level Management of Fraud Risk – Anti-Fraud Training

Generally fraud awareness training given to new staff as part of induction

Newsletters or staff alerts

Computer-based training packages

Training predicated on “red flag” recognition

Good practice guidelines supported by tailored training on a divisional basis

Varying approaches to staff training

Firm’s High Level Management of Fraud Risk – Resources forTackling Fraud

Increase in the size of dedicated anti-fraud teams and staff

Increase in awareness of financial crime and fraud risk

High hurdle rates applied to proposals foranti-fraud investment and financial considerations outweighed qualitative concerns such as reputational risk

Firm’s High Level Management of Fraud Risk – Fraud Investigations

In larger firms responsibility for significant or complex fraud investigations was delegated to specialist departmentsAt other firms responsibility given to corporate security or auditVarying degrees of sophistication e.g. some fraud investigation units able to conduct investigations to criminal investigation standards (including computer forensics)Increase threat of e-fraud makes investigation more difficultUse of “post-mortems” to improve risk mitigation

Firm’s High Level Management of Fraud Risk – External Liaison and Communication

Increased industry cooperation and strong support within firms for this but more needs to be done to share data and information on the perpetrators of fraud

Firm’s High Level Management of Fraud Risk – Educating Consumers

Tension between implementation of anti-fraud measures and customer convenience

The degree to which customer experience is expected to be negatively affected by an anti-fraud initiative was found to be a key factor in determining whether to proceed with the initiative

FSA Enforcement Action: Capita Financial Administrators Limited

£300,000 fine for breaches of:

Principle 2: failing to act with due skill, care and diligence in considering the risks posed by financial crime

Principle 3: failing to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems

SYSC 3.2.6R: failing to take reasonable care to maintain effective systems and controls to counter the risk that the firm might be used to further financial crime.

FSA Enforcement Action: Capita Financial Administrators Limited

Inadequate assessment of fraud risk, especially the risk of internal fraud

Should have assessed the adequacy of existing controls and considered additional controls to mitigate any risks identified

Inadequate response to discovery of fraud: although an investigation committee was set up, it focused on the specific circumstances of the fraud rather than a wider review of fraud risks

Dealing with the aftermath

Alert senior management / the board

Investigation of (a) specific circumstances and (b) wider fraud risks– Appoint appropriate individuals to investigation team– Consider whether use of external consultant is appropriate

– Establish timetable and objectives

Consider key legal issues– Asset recovery– Accessing personal data– Suspension / dismissal– Whether or not to provide documents to FSA voluntarily– Privilege– Money laundering reporting obligation

Corrective action / remedial plan

Insurance issues

Notifying FSA

Conclusions

Recognise importance of fraud risk management to the FSA and react accordingly

Senior management needs to be engaged

Formal fraud risk assessment process and appropriate controls to deal with identified risks

Clearly defined allocation of responsibilities for fraud risk management

Adequate resources

Adequate investment in systems and controls which are capableof early detection

Capture and use management information on fraud

Ensure threat of both internal and external fraud is assessed and dealt with

Anti-fraud training

Development of fraud investigation plan