Who should read this chapter? This chapter is relevant, and its statements of good and poor practice apply to:
• investment banks and firms carrying on investment banking or similar activities in the UK;
• all other firms who are subject to our financial crime rules in SYSC 3.2.6R or 6.1.1R; and
• electronic money institutions and payment institutions within our supervisory scope.
FCTR 13.3.5G and FCTR 13.3.6G only apply to firms or institutions who use third parties to win business.
In March 2012, the FSA published the findings of its review of investment banks’ anti-bribery and corruption systems and controls. The FSA visited 15 investment banks and firms carrying on investment banking or similar activities in the UK to assess how they were managing bribery and corruption risk. Although this report focused on investment banking, its findings are relevant to other sectors.
The FSA found that although some investment banks had completed a great deal of work to implement effective anti-bribery and corruption controls in the months preceding its visit, the majority of them had more work to do and some firms’ systems and controls fell short of its regulatory requirements. Weaknesses related in particular to: many firms’ limited understanding of the applicable legal and regulatory regimes, incomplete or inadequate bribery and corruption risk assessments; lack of senior management oversight; and failure to monitor the effective implementation of, and compliance with, anti-bribery and corruption policies and procedures.
The contents of this report are reflected in FCG 6 (Bribery and corruption).
You can read the findings of the FSA’s thematic review here: https://www.fca.org.uk/publication/corporate/fsa-anti-bribery-investment-banks.pdf
In addition to the examples of good and poor practice below, Section 6 of the report also included case studies illustrating relationships into which banks had entered which caused the FSA particular concern. The case studies can be accessed via the link in the paragraph above.
Governance and management information (MI)
| Examples of good practice | Examples of poor practice | ||
| • | Clear, documented responsibility for anti-bribery and corruption apportioned to either a single senior manager or a committee with appropriate terms of reference and senior management membership, reporting ultimately to the Board. | • | Failing to establish an effective governance framework to address bribery and corruption risk. |
| • | Regular and substantive MI to the Board and other relevant senior management forums, including: an overview of the bribery and corruption risks faced by the business; systems and controls to mitigate those risks; information about the effectiveness of those systems and controls; and legal and regulatory developments. | • | Failing to allocate responsibility for anti-bribery and corruption to a single senior manager or an appropriately formed committee. |
| • | Where relevant, MI includes information about third parties, including (but not limited to) new third-party accounts, their risk classification, higher risk third-party payments for the preceding period, changes to third-party bank account details and unusually high commission paid to third parties. | • | Little or no MI sent to the Board about bribery and corruption issues, including legislative or regulatory developments, emerging risks and higher risk third-party relationships or payments. |
| • | Considering the risk posed by former PEPs and ‘domestic PEPs’ on a case-by-case basis. | ||
| • | Actions taken or proposed in response to issues highlighted by MI are minuted and acted on appropriately. | ||
Assessing bribery and corruption risk
| Examples of good practice | Examples of poor practice | ||
| • | Responsibility for carrying out a risk assessment and keeping it up-to-date is clearly apportioned to an individual or a group of individuals with sufficient levels of expertise and seniority. | • | The risk assessment is a one-off exercise. |
| • | The firm takes adequate steps to identify the bribery and corruption risk. Where internal knowledge and understanding of corruption risk is limited, the firm supplements this with external expertise. | • | Efforts to understand the risk assessment are piecemeal and lack coordination. |
| • | Risk assessment is a continuous process based on qualitative and relevant information available from internal and external sources. | • | Risk assessments are incomplete and too generic. |
| • | Firms consider the potential conflicts of interest which might lead business units to downplay the level of bribery and corruption risk to which they are exposed. | • | Firms do not satisfy themselves that staff involved in risk assessment are sufficiently aware of, or sensitised to, bribery and corruption issues. |
| • | The bribery and corruption risk assessment informs the development of monitoring programmes; policies and procedures; training; and operational processes. | ||
| • | The risk assessment demonstrates an awareness and understanding of firms’ legal and regulatory obligations. | ||
| • | The firm assesses where risks are greater and concentrates its resources accordingly. | ||
| • | The firm considers financial crime risk when designing new products and services. | ||
Policies and procedures
| Examples of good practice | Examples of poor practice | ||
| • | The firm clearly sets out the behaviour expected of those acting on its behalf. | • | The firm has no method in place to monitor and assess staff compliance with anti-bribery and corruption policies and procedures. |
| • | Firms have conducted a gap analysis of existing bribery and corruption procedures against applicable legislation, regulations and guidance and made necessary enhancements. | • | Staff responsible for the implementation and monitoring of anti-bribery and corruption policies and procedures have inadequate expertise on bribery and corruption. |
| • | The firm has a defined process in place for dealing with breaches of policy. | ||
| • | The team responsible for ensuring the firm’s compliance with its anti-bribery and corruption obligations engages with the business units about the development and implementation of anti-bribery and corruption systems and controls. | ||
| • | anti-bribery and corruption policies and procedures will vary depending on a firm’s exposure to bribery and corruption risk. But in most cases, firms should have policies and procedures which cover expected standards of behaviour; escalation processes; conflicts of interest; expenses, gifts and hospitality; the use of third parties to win business; whistleblowing; monitoring and review mechanisms; and disciplinary sanctions for breaches. These policies need not be in a single ‘ABC policy’ document and may be contained in separate policies. | ||
| • | There should be an effective mechanism for reporting issues to the team or committee responsible for ensuring compliance with the firm’s anti-bribery and corruption obligations. | ||
Third-party relationships and due diligence
| Examples of good practice | Examples of poor practice | ||
| • | Where third parties are used to generate business, these relationships are subject to thorough due diligence and management oversight. | • | A firm using intermediaries fails to satisfy itself that those businesses have adequate controls to detect and prevent staff using bribery or corruption to generate business. |
| • | Third-party relationships are reviewed regularly and in sufficient detail to confirm that they are still necessary and appropriate to continue. | • | The firm fails to establish and record an adequate commercial rationale for using the services of third parties. |
| • | There are higher, or extra, levels of due diligence and approval for high risk third-party relationships. | • | The firm is unable to produce a list of approved third parties, associated due diligence and details of payments made to them. |
| • | There is appropriate scrutiny of, and approval for, relationships with third parties that introduce business to the firm. | • | There is no checking of compliance’s operational role in approving new third-party relationships and accounts. |
| • | The firm’s compliance function has oversight of all third-party relationships and monitors this list to identify risk indicators, eg a third party’s political or public service connections. | • | A firm assumes that long-standing third-party relationships present no bribery or corruption risk. |
| • | Evidence that a risk-based approach has been adopted to identify higher risk relationships in order to apply enhanced due diligence. | • | A firm relies exclusively on informal means, such as staff’s personal knowledge, to assess the bribery and corruption risk associated with third parties. |
| • | Enhanced due diligence procedures include a review of the third party’s own anti-bribery and corruption controls. | • | No prescribed take-on process for new third-party relationships. |
| • | Consideration, where appropriate, of compliance involvement in interviewing consultants and the provision of anti-bribery and corruption training to consultants. | • | A firm does not keep full records of due diligence on third parties and cannot evidence that it has considered the bribery and corruption risk associated with a third-party relationship. |
| • | Inclusion of anti-bribery and corruption-specific clauses and appropriate protections in contracts with third parties. | • | The firm cannot provide evidence of appropriate checks to identify whether introducers and consultants are PEPs. |
| • | Failure to demonstrate that due diligence information in another language has been understood by the firm. | ||
Payment controls
| Examples of good practice | Examples of poor practice | ||
| • | Ensuring adequate due diligence on and approval of third-party relationships before payments are made to the third party. | • | Failing to check whether third parties to whom payments are due have been subject to appropriate due diligence and approval. |
| • | Risk-based approval procedures for payments and a clear understanding of the reason for all payments. | • | Failing to produce regular third-party payment schedules for review. |
| • | Checking third-party payments individually prior to approval, to ensure consistency with the business case for that account. | • | Failing to check thoroughly the nature, reasonableness and appropriateness of gifts and hospitality. |
| • | Regular and thorough monitoring of third-party payments to check, for example, whether a payment is unusual in the context of previous similar payments. | • | No absolute limits on different types of expenditure, combined with inadequate scrutiny during the approvals process. |
| • | A healthily sceptical approach to approving third-party payments. | ||
| • | Adequate due diligence on new suppliers being added to the Accounts Payable system. | ||
| • | Clear limits on staff expenditure, which are fully documented, communicated to staff and enforced. | ||
| • | Limiting third-party payments from Accounts Payable to reimbursements of genuine business-related costs or reasonable hospitality. | ||
| • | Ensuring the reasons for third-party payments via Accounts Payable are clearly documented and appropriately approved. | ||
| • | The facility to produce accurate MI to assist effective payment monitoring. | ||
Gifts and hospitality (G&H)
| Examples of good practice | Examples of poor practice | ||
| • | Policies and procedures clearly define the approval process and the limits applicable to G&H. | • | Senior management do not set a good example to staff on G&H policies. |
| • | Processes for filtering G&H by employee, client and type of hospitality for analysis. | • | Acceptable limits and the approval process are not defined. |
| • | Processes to identify unusual or unauthorised G&H and deviations from approval limits for G&H. | • | The G&H policy is not kept up-to-date. |
| • | Staff are trained on G&H policies to an extent appropriate to their role, in terms of both content and frequency, and regularly reminded to disclose G&H in line with policy. | • | G&H and levels of staff compliance with related policies are not monitored. |
| • | Cash or cash-equivalent gifts are prohibited. | • | No steps are taken to minimise the risk of gifts going unrecorded. |
| • | Political and charitable donations are approved at an appropriate level, with input from the appropriate control function, and subject to appropriate due diligence. | • | Failure to record a clear rationale for approving gifts that fall outside set thresholds. |
| • | Failure to check whether charities being donated to are linked to relevant political or administrative decision-makers. | ||
Staff recruitment and vetting
| Examples of good practice | Examples of poor practice | ||
| • | Vetting staff on a risk-based approach, taking into account financial crime risk. | • | Failing to carry out ongoing checks to identify changes that could affect an individual’s integrity and suitability. |
| • | Enhanced vetting – including checks of credit records, criminal records, financial sanctions lists, commercially-available intelligence databases – for staff in roles with higher bribery and corruption risk. | • | No risk-based processes for identifying staff who are PEPs or otherwise connected to relevant political or administrative decision-makers. |
| • | Conducting periodic checks to ensure that agencies are complying with agreed vetting standards. | • | Where employment agencies are used to recruit staff, failing to demonstrate a clear understanding of the checks these agencies carry out on prospective staff. |
| • | Temporary or contract staff receiving less rigorous vetting than permanently employed colleagues carrying out similar roles. | ||
Training and awareness
| Examples of good practice | Examples of poor practice | ||
| • | Providing good quality, standard training on anti-bribery and corruption for all staff. | • | Failing to provide training on ABC that is targeted at staff with greater exposure to bribery and corruption risks. |
| • | Ensuring training covers relevant and practical examples. | • | Failing to monitor and measure the quality and effectiveness of training. |
| • | Keeping training material and staff knowledge up-to-date. | ||
| • | Awareness-raising initiatives, such as special campaigns and events to support routine training, are organised. | ||
Remuneration structures
| Examples of good practice | Examples of poor practice | ||
| • | Remuneration takes account of good compliance behaviour, not simply the amount of business generated. | • | Failing to reflect poor staff compliance with anti-bribery and corruption policy and procedures in staff appraisals and remuneration. |
| • | Identifying higher-risk functions from a bribery and corruption perspective and reviewing remuneration structures to ensure they do not encourage unacceptable risk taking. | ||
Incident reporting and management
| Examples of good practice | Examples of poor practice | ||
| • | Clear procedures for whistleblowing and the reporting of suspicions, which are communicated to staff. | • | Failing to maintain proper records of incidents and complaints. |
| • | Details about whistleblowing hotlines are visible and accessible to staff. | ||
| • | Where whistleblowing hotlines are not provided, firms should consider measures to allow staff to raise concerns in confidence or, where possible, anonymously, with adequate levels of protection and communicate this clearly to staff. | ||
| • | Firms use information gathered from whistleblowing and internal complaints to assess the effectiveness of their anti-bribery and corruption policies and procedures. | ||
