Financial_Crime_Guide

Policy Statement
PS24/17
Financial Crime Guide Changes

Feedback to CP24/9 and Final Guidance
November 2024
This relates to
Consultation Paper CP24/9 which is available on our website at www.fca.org.uk/
publications
Telephone:
0207 066 0984
Email:
[email protected]
Sign up for our news and publications alerts

See all our latest press releases, consultations and speeches.
Contents
Chapter 1 Summary Page 4
Chapter 2 Who this affects Page 5
Chapter 3 Feedback on CP24/9 Page 10
Annex 1 List of non-confidential respondents Page 21
Annex 2 Abbreviations used in this paper Page 22
Appendix 1 Made rules (legal instrument)
3
Chapter 1
Summary
1.1 Financial crime is a key priority in our 2022-2025 Strategy. Our approach to supervision
is proactive and data-led, focusing on the effectiveness of firms’ systems and controls,
disrupting wrongdoing, pursuing firms and individuals and removing those who do not
comply with our rules from the financial system. As part of the Strategy, we publish
findings and provide feedback to industry on both common problems and good practice.
In line with this, we provide information and advice in relation to our functions, including
those involving financial crime supervision. Our Financial Crime Guide (‘the Guide’)
provides practical help and information for all the firms we supervise. The Guide
provides examples of good practice that firms can adopt to reduce the risks of being
used to further financial crime.
Public Consultation on Proposed Changes

1.2 To uphold our commitment to providing feedback and guidance, we launched a public
Consultation Paper 24/9 (CP24/9) in April 2024 on potential changes to the Guide. We
invited views on these proposed changes, focusing on sanctions, proliferation financing
(PF), transaction monitoring (TM), cryptoasset businesses, the Consumer Duty and
other consequential changes such as data security and updating case studies. The
consultation period lasted 9 weeks and concluded on 27 June 2024.
1.3 We received 42 responses over the consultation period, from both the private and
public sectors, individuals working for regulated firms, academics, non-governmental
organisations, and trade associations. This feedback has been a valuable resource in
helping us assess the effectiveness of our current guidance on financial crime and the
proposed changes, as well as helping us to define future areas of focus for the Guide.
Our Response to the Feedback

1.4 This Policy Statement addresses the feedback received and publishes the final draft of
the Guide. The statement includes:
• An overview of the consultation process.

• Summary of key themes raised in the feedback.
• Our responses to these themes.
1.5 The feedback received has directly influenced the final draft of the Guide, resulting
in amendments. The remaining feedback will be considered for potential future
amendments to the Guide.
4
Chapter 2
Who this affects
2.1 This Policy Statement affects:
• All FCA financial crime supervised firms.

• Firms that we supervise under the Money Laundering, Terrorist Financing and
Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs), including
cryptoasset businesses.
2.2 These firms are expected to have read and considered the revised finalised Guide and
to use their judgement on how it may help them ensure they have effective systems and
controls in place.
2.3 The Guide will also be of interest to individuals and organisations that provide services to
these firms, such as:
• Individuals and organisations working with firms subject to FCA financial crime and
MLRs supervision.
• Financial Services Sector Trade Associations and any other parties interested
in FCA financial crime supervision. This could include non-governmental
organisations working on financial crime prevention and academics.
2.4 The Guide is targeted at firms and will be of limited relevance to consumers.
The wider context of this policy statement
Focus and scope of proposed changes

2.5 The consultation was published on 29 April 2024. The proposed changes to the Guide
are designed to ensure it remains a valuable resource for firms we regulate, offering
guidance on financial crime systems and controls. The revised Guide aims to help firms
identify and assess relevant financial crime controls more effectively.
2.6 The proposed changes focus on areas where we identified firms wanted additional
guidance to clarify our expectations. These changes reflect insights from our
supervisory work on financial crime and incorporate updates from our recent
publications. We are also considering further revisions to other chapters in due course.
Alignment with our objectives

2.7 The publication supports the following FCA objectives:
• Consumer protection
– Good financial crime systems and controls can directly protect consumers
and their money. Firms should have proportionate financial crime systems
5
and controls, reflective of their business. This will be reinforced by making it
clear that all firms must also consider whether their systems and controls are
consistent with the Consumer Duty.
• Market Integrity
– We are committed to making sure that firms and markets are not used as
conduits for financial crime. These changes provide guidance to firms on
actions they may take when evaluating or setting up their financial crime
systems and controls.
• International competitiveness and growth
– Financial crime imposes significant costs across the economy. It harms

consumers directly, undermines their confidence in financial services and
damages the UK’s international reputation. Therefore, reducing it is important
both for economic growth and the UK’s international competitiveness. At
the same time, we can help ensure costs for firms are proportionate by
releasing clear guidance that allows firms to be confident that they are fulfilling
their obligations, while also allowing them to take potentially more efficient
innovative, technology-led approaches to activities such as transaction
monitoring.
What we are changing

2.8 Our changes are designed to reduce and prevent the harm of financial crime by
providing firms with information and guidance on financial crime systems and controls.
We have drafted changes in the following areas:
2.9 Sanctions: Following Russia’s illegal invasion of Ukraine in 2022, we conducted extensive
assessments of firms’ sanctions’ systems and controls. We are updating the sanctions
chapter to reflect what we and firms have learned.
2.10 Proliferation Financing (PF): We are updating the guidance to ensure PF is explicitly
referenced throughout the Guide where appropriate. This includes highlighting a 2022
change to the MLRs, which requires firms to conduct PF Risk Assessments.
2.11 Transaction Monitoring (TM): We are setting key guidance for firms on how to
implement and monitor transaction monitoring systems. This includes supporting
responsible innovation and new technological approaches.
2.12 Cryptoasset Businesses: Cryptoasset businesses registered under the Money

Laundering Regulations (MLRs) have been subject to FCA supervision for AML/CTF/PF
purposes since January 2020. We are making it clear that cryptoasset businesses should
refer to the Guide.
2.13 Consumer Duty: The Guide clearly states that firms should consider whether their
systems and controls are consistent with their obligations under the Duty.
6
2.14 Consequential Changes: We are making consequential changes to the Guide, including
replacing expired links, updating outdated references to European Union rules and
refreshing case studies based on more recent FCA enforcement notices.
2.15 Please refer to the final guidance as set out in Annex 1.
Outcomes we are seeking

2.16 Our aim with these changes is to reduce the harm of financial crime to financial
markets and consumers. Following the publication of this Policy Statement and the final
guidance, we are expecting:
• Firms to have read and understood the changes.

• Firms to review their systems and controls in light of the changes, where
applicable.
• Firms to evaluate whether their systems and controls are adequate and
proportionate, considering the revised guidance.
• Firms to have a heightened awareness of what constitutes good and poor practice.
• Ultimately, we expect to see improved compliance across the firms we supervise,
with firms being able to demonstrate they have considered the Guide.
Measuring success
2.17 We are assessing the impact of the updated Guide by monitoring the engagement of
firms and their feedback on the proposed changes during the consultation and our
future consultations on the Guide.
2.18 We will continue to refine the guidance in line with our supervisory findings and
publications. We also appreciate feedback on chapters and areas not covered in the
consultation that respondents believe we should focus on in the future. We will use this
information to inform future updates to the Guide.
Summary of feedback and our response

2.19 This section provides a summary of the feedback and our responses.
2.20 Sanctions: Feedback on the sanctions updates was positive, with respondents
welcoming clarifications on payment and cryptoasset businesses, senior management
accountability, and new self-assessment questions. In response to the feedback
suggestions, we have updated some of the terminology for clarity and added
clarifications on the UK scope of the Guide and the examples. We have also clarified
some of the drafting on reporting significant sanctions breaches as set in SUP15.3 and
made other changes to align with Office of Financial Sanctions Implementation (OFSI)
requirements and legislative positions. We also added clarifications to examples for
manual and automated sanctions screening, and the scope of screening processes. We
7
will consider future revisions to the sanctions chapter, including examples of good and
poor practice, guidance on screening, further references to the new Office of Trade
Sanctions Implementation and trade sanctions, and adding case studies to help firms
evaluate their systems and controls.
2.21 Proliferation Financing: Respondents were satisfied with the additions to the Guide
that refer to the requirement for PF risk assessment as set out under the Money
Laundering Regulations 2017. Respondents suggested more examples of good and poor
practice and a clearer division between PF and sanctions chapters. We have decided
that, since specific sanctions regimes are aimed at deterring the proliferation and use of
chemical weapons it remains appropriate to not introduce a separate chapter on PF. We
will consider adding any good and poor practice on PF based on supervisory findings in
future updates of the Guide.
2.22 Transaction Monitoring: Feedback on TM was positive. Respondents welcomed

the proportionate approach to technology and AI’s potential to increase efficiency.
Respondents also appreciated the refreshed case studies and examples of good
and poor practice. We revised some terminology to avoid misinterpretation of our
expectations, and expectations and added best practice examples for system rules and
AI governance when using automated systems.
2.23 Cryptoasset businesses: Firms supported the inclusion of cryptoasset businesses

in the Guide, with slight amendments for clarity on the examples we provide for these
businesses. The Guide remains sector-agnostic, focusing on financial crime controls
and specific risks.
2.24 Consumer Duty: Respondents requested additional clarity on aligning the Guide
with the Consumer Duty. This has led to more cross-references to Consumer Duty
rules and guidance, making it clear that firms must act to deliver good outcomes for
retail customers and ensure that their systems and controls are consistent with the
Consumer Duty.
2.25 The Economic Crime and Corporate Transparency Act 2023 (ECCTA): ECCTA has
enhanced anti-money laundering powers, promoting better information sharing on
economic crimes. We support the successful implementation of these powers and
believe they will help firms better detect and prevent financial crime. As such, we have
now replicated the good practice example on information sharing from Sanctions
Chapter 7 in Chapter 3 on Risk Assessments to encourage data sharing partnerships.
We also clarify that ECCTA allows businesses to share information to combat economic
crime without civil liability for confidentiality breaches. However, firms must not misuse
these measures to exclude customers and must comply with the UK General Data
Protection Regulation.
2.26 Consequential changes: Respondents were positive about the proposed changes to
practice examples and self-assessment questions. The consequential changes include
naming firms in case studies, clarifying the roles of the Money Laundering Reporting
Officer (MLRO) and Senior Manager, ensuring functional web links and removing
outdated references to the EU.
2.27 For future updates to the Guide, some respondents requested:
8
• More detailed guidance on fraud, especially Authorised Push Payment (APP)
scams, synthetic identity fraud and digital fraud. We plan to review the relevant
chapters in the Financial Crime Guide, focusing on APP fraud, as part of any future
update.
• Examples of AI and machine learning in detecting financial crime. We are exploring
these technologies’ safe integration and impact on markets, and whether future
updates may be needed.
2.28 There was also a request for more guidance on domestic Politically Exposed Persons
(PEPs). In July 2024, we published a Guidance Consultation 24/4 (GC24/4) on a
proportionate approach to UK PEPs. Following the consultation, we will be publishing the
final guidance and a Policy Statement. This Financial Crime Guide directs firms to the
PEP Guidance, and we will update the link following the PEP guidance update.
2.29 We will continue to refine the guidance in line with our supervisory findings and
publications. We also appreciate feedback on chapters and areas not covered in CP24/9
that respondents believe we should focus on in the future.
Equality and diversity considerations

2.30 We have considered the equality and diversity issues that may arise from these changes
to the Guide and concluded that they do not materially impact any of the groups with
protected characteristics under the Equality Act 2010.
2.31 We maintain that the Guide should not adversely impact groups under the Equality Act
2010 but have responded to the feedback we received during the consultation in 3.56.
Next steps
What you need to do next

2.32 If your firm is affected by these changes, you need to consider what adjustments may
be needed to your financial crime systems and controls. This could include changes to
internal policies, monitoring systems, training, governance or other elements of your
systems and controls. Some firms may need to implement more changes than others,
while some may find that their existing systems and controls already align with the new
guidance and require no adjustments.
What we will do next

2.33 We will continue to engage with firms following this publication and publish our findings.
These may result in further changes to the Guide. We also continue to use our other
supervisory publications for firms to outline our financial crime approach and provide
guidance to firms.
2.34 We hope that financial crime regulated firms find the Guide revisions helpful. We look
forward to engaging with firms for further feedback on how we can improve the Guide.
9
Chapter 3
Feedback on CP24/9
Feedback on Proposed Draft Guidance: CP24/9

3.1 In CP24/9 we asked:
Question 1: Do you agree with the suggested drafting as set out in this
Consultation Paper?
This chapter further summarises the feedback received and our response, including any
changes we are making:
Sanctions
3.2 The feedback on the sanctions updates was generally positive. Respondents welcomed
additional clarification on the scope of the guidance to payment and cryptoasset
businesses. They also welcomed guidance on senior management accountability for
sanctions risk and governance and said the new self-assessment questions and the
additional drafting in the customer due diligence chapter was useful. They asked for
further clarity on some of the terminology in the reporting requirements, automated
and manual sanctions monitoring and screening among other small amendments. We
are considering future changes to the chapters as set in 3.12 of this PS.
Our response
We have updated the terminology in the sanctions chapter for clarity

and consistency. Specifically, we have changed ‘sanctioned countries’ to
‘sanctioned jurisdictions’ throughout FCG 7.2. We have also referred to
‘sanctions regimes’ when it relates to a particular jurisdiction or specific
regime, and UK sanctions, when it relates to the overall UK sanctions
framework. Additionally, we now refer to ‘sanctions targets’ rather than
individuals or entities subject to sanctions.
Some respondents requested further clarity on the UK nexus and
guidance on the application of the Guide beyond the UK, particularly for
non-UK sanctions frameworks. The Guide and its provisions are provided
in the context of the UK financial sanctions framework as set out in FCG
7.1. However, we have amended the reporting guidance in FCG 7.1.5 to
clarify that the Guidance sets the notification expectation for firms which
are the target of UK sanctions or those of other countries or jurisdictions,
along with other clarifications throughout the FCG 7 on the scope of the
guidance. We have been asked to clarify the meaning of ‘agents’ in FCG
7.1.5 and note that it is a defined term in the FCA glossary.
10
We have also clarified the distinction between the UK Sanctions List and
the Consolidated List maintained by OFSI in FCG 7.1.5A.
We were asked to provide more clarification about when firms should
notify us of suspected sanctions breaches. In response, we are clarifying
that firms should report suspected sanctions breaches to us in line with
Principle 11 and SUP 15.3.8G(2). For example, suspected breaches of
sanctions resulting from significant failures in their systems and controls.
We note that SUP 15.3.1R and SUP 15.3.8(2)G cover the timeliness of
reporting to the FCA, and so have not sought to replicate that guidance
in FCG 7. We have amended good practice example 3 in FCG 7.2.3C
accordingly to remove a separate reference to timescales.
We have also amended a poor practice example in FCG 7.2.3C to ‘The
firm does not report a breach of financial sanctions to OFSI when
required to do so’ to align the Guide with the legislative position on OFSI
reporting.
Some respondents requested changes to the CDD section for further
clarity. In response we have noted that CDD is relevant to other financial
crime controls and have made the following changes to the good practice
examples:
• Example 2 in FCG 7.2.2.A has been amended to ‘The firm’s CDD
identifies all parties relevant for its screening processes’.
• Example 3 in FCG 7.2.2A has been amended to ‘The firm’s customer
onboarding and due diligence processes are designed to identify
customers...’.
Respondents also asked us to clarify the scope of manual and automated
sanctions screening in FCG 7.2.3, and other areas in FCG 7.2.3A on
evasion detection. In response, we have clarified where the examples
in FCG 7.2.3 apply specifically to automated screening, made reference
to the red flags for sanctions evasion issued by the National Economic
Crime Centre (NECC) in FCG 7.2.3A and other minor amendments to
drafting, such as:
• Amended good practice example 7 to state that screening tools are
tailored to the firm’s risk and are appropriate for screening UK sanctions.
• Added wording to reflect that the investigation of alerts is part of
sanctions screening processes.
• Clarified that ‘increased volumes and pressure on sanctions teams
following changes in the sanctions landscape’ can prevent firms from
effectively managing sanctions compliance.
• Clarified that firms’ screening processes may differ depending on the
nature of a firm’s business and their assessment of risk. We do not
intend to provide comprehensive sector-specific guidance on screening
processes. However, we will consider including additional identified good
and poor practices in future revisions to the FCG, which may provide
further guidance.
11
We have removed text suggesting an OFSI licence is required to retain
customers who are designated persons.
In chapters FCG 7.2.1 (Governance) to FCG 7.2.2 (Risk Assessment), and
other areas, we have made several changes:
• For instance, we amended poor practice example 2 in FCG 7.2.1,
changing the word ‘ensure’ to ‘manage’ as this is more appropriate.
Additionally, we added the word ‘material’ in front of ‘sanctions
developments’ in example 3 of good practice in FCG 7.2.2 to reflect
feedback, agreeing that lessons learned should be proportionate and
relevant to the firm.
• We also combined amended Q2 in the self-assessment questions in
FCG 7.2.2, to clarify the distinction with Q5. Q2 now reads ‘where it has
identified new sanctions risk events’. Furthermore, we referenced the
NECC red alerts for sanctions evasion to give firms additional red flag
indicators to help in identifying evasion.
• We addressed wider points on governance, accountability, outsourcing
and other areas by providing examples in Chapter 7. However, we remind
firms that these should be read in conjunction with other FCG systems
and controls chapters for financial crime, as they are also relevant for
sanctions risk management.
• One respondent asked us to remove text in our proposed amendments
in FCG 7.2.3A on identifying close associates and dependents. We have
not removed the text as we think it is important to identify potential
enablers of evasion. While these will not be designated persons, data
analysis of known designated persons’ activity may help in identifying
them.
In addition to these changes, we will consider future revisions to FCG 7
in areas such as further examples of good and poor practices for senior
management responsibility and management information, particularly
where we identify sanctions-specific examples. We will also consider
providing further guidance on screening and consider changes and
further references to the Office of Trade Sanctions Implementation
(OTSI) and non-financial sanctions, such as trade sanctions. Additionally,
we will consider providing more case studies to help firms evaluate their
Proliferation Financing (PF)

3.3 Overall, respondents were satisfied with the additions made to the Guide on PF and
making it clear that PF risk assessment is a requirement on firms under the Money
Laundering Regulations 2017.
12
3.4 Some respondents suggested further good and poor practice examples on PF risk
assessment, including links to other publications and a clearer division between
proliferation financing and sanctions chapters.
Our response
We carefully considered the proposal to separate PF from the wider

Chapter 7 on Sanctions and Proliferation Financing. However, we
concluded that as the 2 topics are closely related with no specific PF case
studies there was currently no justification to separate the chapter.
We have included an additional reference to the PF Risk Assessment in
FCG 7.2.2. This acts as a reminder that the risk assessment requirements
in FCG 2.2.4G on risk assessment for financial crime apply to sanctions as
well as proliferation financing (see addition in FCG 7.2.2G).
Transaction Monitoring (TM)

3.5 Respondents welcomed our drafting on a proportionate approach to using technology
in transaction monitoring, and the reference to the potential of AI to increase efficiency
of TM. Respondents also welcomed the refreshed case studies on TM and additional
good and poor practice examples for automated systems.
3.6 Some respondents suggested that we reconsider some of the chapter’s terminology to
avoid misinterpretation.
Our response
We have removed the word ‘hibernation’ from the example in FCG 3.2.5A.
Some respondents were concerned that there is no clear definition in
place, and this may cause different approaches when applying the Guide.
We have provided a good practice example for firms to test and update
system parameters appropriately. We think that this is important to make
sure that whichever approach they take it can help effectively identify
suspicious activity.
We have further clarified that FCG 3.2.5A includes our expectations for
both manual and automated TM unless the example specifies otherwise
or refers solely to an automated monitoring system.
We have revised the wording in FCG 3.2.5A: ‘To date, many large
institutions have used transaction monitoring systems that work on a
transaction-by-transaction or unusual transaction basis, or combination
of the two flagging fund movements that exceed rule-driven thresholds
for human scrutiny.’ This change reflects the variety of TM systems in use.
13
Some respondents suggested that the use of ‘verify’ was unduly
restrictive. In response, we have modified poor practice example 6 ‘A firm
does not verify that a counterparty firm is monitoring customer activity’
to ‘A firm does not check that a counterparty firm is monitoring customer
activity’.
We have added a new good practice example on tailoring and testing
a transaction monitoring system to the emphasise the importance of
this for effective monitoring. This reads: ‘The firm tailors the monitoring
system rules to its business, risk, and relevant typologies. The system
and rules are tested, reviewed, and adapted/kept up to date to ensure the
right outcomes' as suggested.
We agreed with the comments that an added example will provide further
guidance on governance and audit trail, while welcoming innovative
approaches. So, we have added a new good practice example on record
keeping for systems using AI: ‘The firm keeps records of how the AI has
been trained, and the process for making adjustments, specifically how
the interpretable model can be maintained’.
Cryptoasset Businesses
3.7 Firms supported we make explicit mention of cryptoasset businesses being expected to
use the Guide. Some respondents asked whether there needed to be a specific chapter
for these business types and others sought clarification on some of our proposed
drafting.
3.8 We have slightly amended the wording on the self-assessment question to ensure
relevant risks are addressed: ‘For cryptoasset business, how are risks of different types
of cryptoasset (e.g. anonymity-enhanced or privacy coins) or wallet solutions assessed
and addressed?’
3.9 Some respondents suggested we consider creating a sub-chapter for cryptoasset

firms. The Guide, in principle, is agnostic to sectors and instead focuses on elements
of financial crime controls and specific risks, such as money laundering, fraud and
sanctions. However, we know that some chapters and good/poor practice examples are
more relevant to certain firms or sectors. For sector specific guidance, firms can refer to
our supervisory findings, other publications or portfolio letters.
The Consumer Duty

3.10 The Consumer Duty came into force on 31 July 2023 for new and existing (open)
products. As of July 2024, it is now in force for all products. It introduced a more
outcomes-focused approach to consumer protection and sets high expectations for
the standard of care that firms give retail customers.
3.11 The Duty applies to all aspects of a firm’s retail market business, from developing
products and services through to distribution and post-sale activities.
14
3.12 Respondents have requested more clarity on aligning the Guide with the Duty. They
have pointed out instances where they believe the Guide might conflict with the Duty.
This includes situations where concerns about unfair client treatment may conflict with
the need for thorough due diligence, asset freezing and a risk-based approach.
3.13 In response, we have added more cross-references to the rules and the non-Handbook
Guidance for firms on the Duty in the Finalised Guidance 22/5 (FG22/5). This will help
firms in balancing their Consumer Duty obligations with financial crime obligations.
3.14 The Duty does not imply that consumers can or will be protected from all harms or
that all harms are preventable. Harm may occur in unforeseeable circumstances, such
as when financial crime obligations emerge as part of the firms’ operations. However,
we expect firms to consider what actions might be appropriate once harm becomes
foreseeable.
3.15 Where other legislative or regulatory requirements apply, firms should continue to
comply with them. The Duty does not replace or override other requirements. If financial
crime requirements prescribe certain actions, firms must comply with them, but they
will need to think more widely about their approach to meet our expectations under
the Duty. We therefore encourage firms to consider their financial crime obligations
in relation to the Duty, especially in relation to Principle 12 and the cross-cutting rules,
which are now referenced in the Guide:
• Principle 12: A firm must act to deliver good outcomes for retail customers.
• PRIN 2A.2.1R: A firm must act in good faith towards retail customers.
• PRIN 2A.2.8R: A firm must avoid causing foreseeable harm to retail customers.
• PRIN 2A.2.14R: A firm must enable and support retail customers in pursuing their
financial objectives.
• Consumer Duty outcome provisions:
• PRIN 2A.5: retail customer outcome on consumer understanding.
• PRIN 2A.6: retail customer outcome on consumer support
3.16 These will be relevant where firms consider their approach to dealing with financial
crime. For example, when dealing with victims of fraud, firms should consider the
relevant rules in the support they provide customers and their communication.
Data Security
3.17 We received positive feedback on the Data Security Chapter FCG 5 changes.
Respondents thought that the new examples will be particularly helpful for practitioners.
Although we received a limited number of proposals for changes, we have implemented
the following adjustments:
• Adding a good practice example on firms’ ability to restore systems following an

incident, including requirement that restoration is done in a timely manner.
• Adding a poor practice example of inadequate controls to revoke access for staff
that leave the firm or their department.
3.18 In addition to directing firms to the 10 steps of cybersecurity, we have also linked the
National Cyber Security Centre (NCSC) cyber security toolkit for Boards in FCG 5.4.1.
15
3.19 Some of the respondents requested further guidance on secure implementation of
Generative AI in the context of data security. This is an area we continue to monitor.
Data and Information Sharing

3.20 The Economic Crime and Corporate Transparency Act (ECCTA) has strengthened anti-
money laundering powers, enabling improved information-sharing on suspected money
laundering, fraud and other economic crimes. This includes enabling businesses, under
certain circumstances, to share information more readily for preventing, detecting
or investigating economic crime. It does so by disapplying civil liability for breaches of
confidentiality for firms that share information to combat economic crime. We support
the effective application of these powers and believe they strengthen firms’ ability to
detect and prevent financial crime.
3.21 Based on the feedback received, we have replicated good practice example 4 from
section FCG 7.2.2 in section FCG 3.2.3. This makes it clearer that we encourage firms
to participate in information and data sharing partnerships. We have also included a
glossary definition for ECCTA.
3.22 In section FCG 3.2.3, we have noted that the measures under ECCTA are not intended
to provide firms with additional powers to inappropriately exclude customers. Regulated
firms should use these measures to help with their risk-based decision-making process.
Firms should refrain from sharing information for commercial reasons and must
consider their obligations under UK GDPR.
Consequential Changes
3.23 We have received generally positive feedback on the good and poor practice examples
and the self-assessment questions. Firms have found these useful and clear. We have
considered feedback and made the following changes:
• Some respondents have flagged that the FCG should consistently either name
or not name the firms in our case studies. They found that anonymising the firms
makes it more difficult for them to know if they have previously assessed the case
study. In response to the feedback, we have returned to our original practice of
naming the firms in our case study examples. This allows firms to find and identify
the referenced final notices. As Final Enforcement Notices are publicly available
on our website, we are comfortable with continuing this approach. We have added
a clarification in the Guide that the MLRO and Senior Manager can be the same
person, as stated in FCG 3.2.2.
• We have made additional changes throughout the document to ensure that all
weblinks are functional and have added additional links to other useful materials.
• We have removed a reference to a Joint Money Laundering Steering Group
(JMLSG) Guide definition of ‘equivalent jurisdiction’ as it no longer applies in the
UK, following removal of the definition from the JMLSG after the UK’s departure
from the European Union.
16
Feedback on Future Amendments
Question 2: For future iterations of the Guide which chapters in the Guide
would you like us to consult on or provide further guidance? Are
there any financial crime topics currently not in the Guide that
you would like us to consult on in the future?
This section presents the feedback received on Question 2. We have already addressed
some of the feedback on future changes in our response to Question 1, in particular
those linked to the suggested drafting in CP24/9.
Fraud
3.25 Respondents suggested that future guidance on fraud would be helpful for firms. This
includes specific coverage of APP scams and details on preventing other prevalent types
of fraud, such as synthetic ID and digital fraud.
3.26 Fraud prevention is one of our priority areas. We want to use the full range of our toolkit,
including the Financial Crime Guide, to address and reduce the harms caused by fraud.
Our strategic focus is on 2 key areas: investment fraud and APP fraud. In line with this,
we are actively planning to review the chapters on fraud in the Financial Crime Guide.
This review is aimed at ensuring that we continue to provide valuable and appropriate
guidance that meets the needs of firms in their ongoing efforts to combat fraud.
Technology, Artificial Intelligence and Machine Learning

3.27 For future updates, respondents have asked us to include more examples of AI and
machine learning applications. Specifically, about how firms can use these technologies
to detect and prevent financial crime and manage associated risks.
3.28 We have taken this feedback into account and are collaborating across the FCA to
explore the connection between our broader work on AI and machine learning and the
Guide. We are a principles-based and outcomes-focused regulator. We are focusing on
how firms can safely and responsibly adopt AI technology, as well as on understanding
what impact AI innovations are having on consumers and markets.
3.29 We want to promote the safe and responsible use of AI in UK financial markets and
leverage AI in a way that drives beneficial innovation. The FCA sees beneficial innovation
as a vital component of effective competition. For further detail, please refer to our
published AI Update.
Politically Exposed Persons (PEPs)

3.30 Feedback shows firms would like additional guidance on the treatment of domestic
PEPs. This related to changes introduced by the Money Laundering and Terrorist
Financing (Amendment) Regulations 2023, stipulating that the starting point for a
17
firm’s risk assessment of PEPs is that all domestic PEPs present a lower risk than non-
domestic PEPs unless other risk factors are apparent.
3.31 We have incorporated a reference to Money Laundering and Terrorist Financing

(Amendment) Regulations 2023 in the Guide ‘common terms’ Annex 1. We have also
included the existing link to the Finalised Guidance 17/6 (FG17/6), which already provides
guidance on our expectations on the treatment of politically exposed persons for anti-
money laundering purposes.
3.32 In July 2024, we published the outcome of multi firm work on the treatment of PEPs.
Alongside this, we published proposals for targeted updates to our existing guidance
in GC24/4. This consultation included proposed changes to reflect the changes of the
MLRs. The consultation closed in October, and we will publish the final guidance for firms
in due course. Firms should continue to follow our guidance and refer to the revised
version of the guidance once published. Once published, we will include a reference and
a link to the finalised ‘PEP Guidance’ in the Financial Crime Guide via Rulemaking and
Amending Instruments process in the Handbook or during the next iteration of updates
to the Guide.
Feedback: Unintended Consequences, Equality and Diversity

and Cost Benefit Analysis
Question 3: Do you foresee any unintended consequences from the

proposals?
Response
A small number of respondents expressed concerns about aligning the

financial crime guidance with the Consumer Duty. This issue was also
brought up in responses to Question 1. We have addressed this in 3.29,
adding more references to the Duty and relevant guidance to assist firms.
Question 4: Do you agree with our cost benefit analysis and conclusion?
If you do not, please provide an explanation, including any
estimated costs or benefits that may be relevant.
18
Response
We received a small number of responses about our Cost Benefit Analysis

(CBA). Many of these asked for more detail and transparency about how
we had compiled our cost estimates. We estimated costs following our
methodology set out in our Statement of Policy on Cost Benefit Analysis.
Several responses suggested that the per-firm cost estimates in our
CBA were too low. These respondents suggested that many firms are
under-resourced and would require costly consultants to help implement
changes. One firm noted that the familiarisation costs estimated would
be an additional cost to firms of doing business within the UK.
One response disagreed with our assumption that a gap analysis will
not be required by most firms, asserting that firms will need to assess
controls against several of the new areas added to the Financial Crime
Guide. Another response suggested that our cost estimates may not
account for all necessary adjustments in procedures and training.
In our CBA, we noted some firms may have higher costs beyond
familiarisation with the Guide but highlighted that we were uncertain how
many firms do so. Some responses suggested that certain costs may be
higher than we set out in the CBA. However, respondents did not provide
any additional evidence to quantify the extent of these differences, and
responses did not suggest alternative assumptions we should use. We
have therefore not made any adjustments to the costs we presented.
We consider these costs proportionate to the expected benefits of our
intervention (reduced financial crime).
Question 5: Do you agree with the comments on the assessment of the

equality and diversity considerations?
Response
We have taken into account the potential equality and diversity issues
that could emerge from this Policy Statement and the feedback gathered
during the consultation.
In light of the consultation feedback, we have given additional thought to
the potential impact of our proposed guidance on consumers. As a result,
we have incorporated more references to the Consumer Duty principles
and expectations for firms to operate at a standard that ensures suitable
protection for retail customers. We believe that our proposals will have a
positive impact on consumers by ensuring that firms take the Duty into
account when designing their systems and controls. We have also added
links to the Duty guidance in the Guide, which provides information on
19
achieving good outcomes for customers, including those in vulnerable
situations.
We continue to explore other areas highlighted during the consultation to
determine whether our future updates, especially those related to fraud
and technology, could unintentionally affect equality and diversity.
20
Annex 1
List of non-confidential respondents
1. We are obliged to include a list of the names of respondents to our consultation who
have consented to the publication of their name. That list is as follows:
AI & Partners
Alastair Cookson, Director - Redline Capital (UK) Limited
API Compliance Ltd
The Association of Professional Compliance Consultants
Brian Swainston, Deputy MLRO – Fidelity International
ClearBank
DataWise Forensics
Debt Managers Standards Association Ltd (DEMSA)
Deloitte
Fenergo
Finance and Leasing Association
Forvis Mazars
The Investing and Saving Alliance (TISA)
Joshua Tjeransen, International Consultant (Proliferation Finance) – United Nations

Office On Drugs and Crime (UNODC)
Marilyne Ordekian, PhD Candidate – Computer Science, University College London
Nottingham Building Society
Odyssey Pensions Limited
Perenna Bank
Venkatesh Balasubramaniam, CAMS, CFCS, Consulting Partner –

Wipro Technologies Ltd
Yonder Technology
21
Annex 2
Abbreviations used in this paper
Abbreviation Description
AI Artificial Intelligence
AML Anti-Money Laundering
APP Fraud Authorised Push Payment Fraud
CDD Customer Due Diligence
CTF Counter Terrorist Financing
ECCTA Economic Crime and Corporate Transparency Act 2023
EDD Enhanced Due Diligence
FATF Financial Action Task Force
FCA Financial Conduct Authority
FCG Financial Crime Guide
FSA Financial Service Authority (Predecessor to the FCA)
FSMA Financial Service and Markets Act 2000
GDPR General Data Protection Regulation
JMLSG Joint Money Laundering Steering Group
KYC Know Your Customer
MLRO Money Laundering Reporting Officer

The Money Laundering, Terrorist Financing and Transfer of Funds
MLRs
(Information on the Payer) Regulations 2017
NCSC National Cyber Security Centre
OFSI The Office of Financial Sanctions Implementation
OTSI The Office of Trade Sanctions Implementation
PEPs Politically Exposed Persons
PF Proliferation Financing
TM Transaction Monitoring
22
All our publications are available to download from www.fca.org.uk.
Request an alternative format

Please complete this form if you require this content in an alternative format.
Or call 020 7066 6087
Sign up for our news and publications alerts
23
Appendix 1
Made rules (legal instrument)
24
FCA 2024/46
FINANCIAL CRIME GUIDE (AMENDMENT) INSTRUMENT 2024
Powers exercised
A. The Financial Conduct Authority (“the FCA”) makes this instrument in the exercise
of the powers and related provisions in or under:
(1) section 139A (Power of the FCA to give guidance) of the Financial Services
and Markets Act 2000;
(2) regulation 120(1) (Guidance) of the Payment Services Regulations 2017;
and
(3) regulation 60(1) (Guidance) of the Electronic Money Regulations 2011.
Commencement
B. This instrument comes into force on 29 November 2024.
Amendments to material outside the Handbook
C. The Financial Crime Guide: A firm’s guide to countering financial crime risks (FCG)
is amended in accordance with the Annex to this instrument.
Citation
D. This instrument may be cited as the Financial Crime Guide (Amendment) Instrument
2024.
By order of the Board

28 November 2024
FCA 2024/46
Annex
Amendments to the Financial Crime Guide: A firm’s guide to countering financial

crime risks (FCG)
In this Annex, underlining indicates new text and striking through indicates deleted text.
1 Introduction
1.1 What is the FCG?
1.1.5 …
Where FCG refers to guidance in relation to SYSC requirements, this may also be
relevant to compliance with the corresponding Principle in our Principles for
Businesses and corresponding requirements in the Payment Services
Regulations and the Electronic Money Regulations. All elements of the FCG but
particularly FCG 3 on money laundering and FCG 7 on sanctions will be relevant
to cryptoasset businesses registered with us under the Money Laundering
Regulations.
1.1.11 FCG is not a standalone document; it does not attempt to set out all applicable
requirements and should be read in conjunction with existing laws, rules and
guidance on financial crime. If there is a discrepancy between FCG and any
applicable legal requirements, the provisions of the relevant requirement prevail.
If firms have any doubt about a legal or other provision or their responsibilities
under FSMA or other relevant legislation or requirements, they should seek
appropriate professional advice.
Among other requirements, firms should consider whether their financial crime
systems and controls are consistent, where applicable, with their Consumer Duty
obligations.
For instance, in complying with the Consumer Duty, firms may consider
additional steps in their customer journeys to help prevent financial crime,
including fraud. They may also consider offering additional consumer support,
such as:
• a real-time human interface to deal with security or fraud concerns;
• engagement with customers during customer due diligence processes; or
• providing information on their application or application outcome for
products and services.
Firms should consider FG22/5 when applying their financial crime systems and
controls. In particular, firms may find it helpful to consider the following
provisions:
Page 2 of 30
FCA 2024/46
• Principle 12: A firm must act to deliver good outcomes for retail
customers;
• Cross-cutting obligations:
o PRIN 2A.2.1R: A firm must act in good faith towards retail
customers;
o PRIN 2A.2.8R: A firm must avoid causing foreseeable harm to retail
customers; and
o PRIN 2A.2.14R: A firm must enable and support retail customers to
pursue their financial objectives; and
• Consumer Duty outcome provisions:
• PRIN 2A.5 (Consumer Duty: retail customer outcome on consumer
understanding); and
• PRIN 2A.6 (Consumer Duty: retail customer outcome on consumer
support).
Firms should note that the Consumer Duty does not replace or override other
applicable rules, guidance or law and does not require firms to act in a way that is
incompatible with any legal or regulatory requirements, such as those under
financial crime rules and obligations under the Money Laundering Regulations.
1.1.12 To find out more on the Consumer Duty, see ‘FG22/5 Final Non-Handbook
Guidance for firms on the Consumer Duty’
(www.fca.org.uk/publication/finalised-guidance/fg22-5.pdf).
3 Money laundering and terrorist financing
3.2 Themes
The Money Laundering Reporting Officer (MLRO)
3.2.2 …
Firms to which this section applies must appoint an individual as MLRO. The
MLRO is responsible for oversight of the firm’s compliance with its anti-money
laundering obligations and should act as a focal point for the firm’s AML activity.
Regulation 21(1)(a) of the Money Laundering Regulations also requires the
appointment of a senior manager as the officer responsible for the relevant
person’s compliance with these regulations. Where appropriate, this section can
be relevant to how that person meets their obligations under the Money
Laundering Regulations. If the MLRO meets the requirements in regulation
21(1)(a) and (3), firms need not make a separate notification to us.
…
Page 3 of 30
FCA 2024/46
Risk assessment
3.2.3 The guidance in FCG 2.2.4G and FCG 7.2.5G on risk assessment in relation to
financial crime and proliferation financing (PF) also applies to AML.
The assessment of money laundering financial crime and PF risk is at the core of
the firm’s AML, counter-terrorist financing (CTF) and PF effort and is essential
to the development of effective AML/CTF/PF policies and procedures. A firm is
required by Regulation 18 of the Money Laundering Regulations to undertake a
risk assessment. This also includes a risk assessment by relevant persons in
relation to PF as set out in Regulation 18A of those regulations.
Firms must therefore put in place systems and controls to identify, assess, monitor
and manage money laundering, terrorist financing and PF risk. These systems and
controls must be comprehensive and proportionate to the nature, scale and
complexity of a firm’s activities. Firms must regularly review their risk
assessment to ensure it remains current.
Under section 188 of the Economic Crime and Corporate Transparency Act 2023,
firms are able to share information with one another for the purpose of
preventing, detecting and investigating economic crime. Regulated firms should
use this information to assist with their risk-based decision making and should not
share it for commercial reasons or to provide sectors with additional powers to
exclude customers inappropriately. Firms must also consider their obligations
under the General data protection regulation.
Self-assessment questions:
• Which parts of the business present greater risks of money laundering,
terrorist financing and PF? (Has your firm identified the risks associated
with different types of customer customers or beneficial owner owners,
product products, services, activities, transactions, business line lines,
geographical location locations and delivery channel channels (e.g.
internet, telephone, branches)? Has it assessed the extent to which these
risks are likely to be an issue for the firm?)
• How does the risk assessment inform your day-to-day operations? (For
example, is there evidence that it informs the level of customer due
diligence you apply or your decisions about accepting or maintaining
relationships?)
• For cryptoasset businesses, how do you assess and address the risks of
different types of cryptoasset (e.g. anonymity-enhanced or privacy coins)?
Examples of good practice Examples of poor practice
• The firm has identified good …

sources of information on money
laundering, terrorist financing and
PF risks, such as National Risk
Assessments, ESA Guidelines,
Page 4 of 30
FCA 2024/46
FATF mutual evaluations and

typology reports, NCA alerts, press
reports, court judgements, reports
by non-governmental organisations
and commercial due diligence
providers.
• Consideration of money laundering, …

terrorist financing and PF risk
associated with individual business
relationships takes account of
factors such as:
o company structures;
o political connections;
o country risk;
o the customer’s or beneficial
owner’s reputation;
o source of wealth;
o source of funds;
o expected account activity;
o factors relating to the
customer’s countries or
geographic areas of operations;
o products and services;
o transactions;
o delivery channels;
o sector risk; and
o involvement in public contracts.
• The firm identifies where there is a …

risk that a relationship manager
might become too close to
customers to identify and take an
objective view of the money
laundering risk. It manages that risk
effectively.
• The firm engages with public-

private partnerships and private-
private partnerships to gather
insights on the latest financial crime
typologies and additional controls
that might be relevant and shares its
own best practice examples.
Page 5 of 30
FCA 2024/46
Customer due diligence (CDD) checks
3.2.4 …
…
• Are procedures sufficiently flexible to cope with customers who cannot
provide more common forms of identification (ID)?
• With non-face-to-face transactions, how does your firm’s approach
provide confidence that the person is who they claim to be? How do you
test any technology used as part of onboarding?
…
Ongoing monitoring
3.2.5 …
…
• How do you feed the findings from monitoring back into the customer’s
risk profile?
• Do you frequently review the monitoring system rules and typologies for
effectiveness? Do you understand the threshold and rule rationales?
• The firm uses monitoring results • A cryptoasset business assumes that

to review find out whether CDD blockchain analysis is all that is
remains adequate. required to monitor transactions
and fails to do its own transaction
monitoring based on the
knowledge of its customers or
relying on off-chain information.
• The firm takes advantage of • The firm’s measures fail to conduct

customer contact as an a full assessment of the risk. For
opportunity to update due diligence instance, the firm does not consider
information. changes in the nature of the
relationship or expected activities.
• The firm demonstrates a risk-based

approach following a monitoring
event. This could include
Page 6 of 30
FCA 2024/46
implementing regular periodic

reviews and having procedures for
event-driven reviews.
See regulations 27, 28(11), 33, 34 of the Money Laundering Regulations.
The use of transaction monitoring
3.2.5A This section is relevant to a firm using transaction monitoring as part of its
ongoing monitoring efforts to detect money laundering, financing of terrorism
and proliferation financing (see FCG 3.2.5G (Ongoing monitoring)). This could
be relevant to firms serving either retail or wholesale customers.
To date, many large institutions have used transaction monitoring systems that
work on a transaction-by-transaction or unusual transaction basis, or combination
of the two, flagging fund movements that exceed rule-driven thresholds for
human scrutiny. We understand that more sophisticated approaches show
potential in this area, and can be used to take a more rounded view of customer
behaviour – for example, showing how the customer fits into broader networks of
activity. Examples of such sophisticated technologies include the use of machine
learning tools or tools based on artificial intelligence to detect suspicious activity
or triage existing alerts.
This section applies to the use of both automated and manual transaction
monitoring, unless specified otherwise.
• Do you understand the effectiveness of your automated monitoring in
different business areas?
• What actions have been taken to mitigate shortcomings that have been
identified in business areas?
• What consideration has been given to alternative varieties of automated
monitoring, including the use of novel approaches?
• Where a firm uses automated methods for triaging alerts generated by
threshold-driven transaction-monitoring systems (e.g. scorecards overlaid
on existing systems or other systems to prioritise which alerts receive
manual attention), can this be justified within the context of the firm’s
overall approach to monitoring?
• New approaches are piloted or

subject to evaluation periods, with
firms able to demonstrate
appropriate testing.
Page 7 of 30
FCA 2024/46
• Monitoring arrangements (whether • The control framework around

automated or manual or both) seek automated monitoring is weak. For
to take a holistic view of customer example, senior management have
behaviour and draw on a range of an unrealistic expectation of what
data, rather than just transaction- automated monitoring systems are
by-transaction analysis. feasibly able to achieve, while
manual scrutiny of alerts lacks
resources and is unable to cope.
• Monitoring is applied, where • Threshold-based transaction

appropriate, at multiple levels of monitoring approaches are used in
aggregation: situations where they are not
suitable, while other methods of
o transaction level (the
scrutiny (such as oversight of
lowest);
customers by relationship
o account level (the aggregate managers) are neglected.
of transactions for an
account);
o customer level (the
aggregate of accounts for a
specific customer); and
o linked-entity level (i.e.
across a group of linked
customers by relationship
managers).
• When decommissioning an • A threshold-based, rule-driven

existing automated system (or transaction monitoring system is
aspects of that system, such as used but is poorly calibrated and
particular rule sets), a firm is able the firm struggles to articulate the
to justify this decision. rationale for particular rules and
Consideration may be given to, for scenarios.
example, the relative merits of
other approaches (including manual
approaches), the systems’ resource
implications, and the systems’
performance outcomes (such as the
intelligence-value of alerts and the
proportion of ‘false positives’).
• Before a new system replaces an • Data fed into an automated system

existing one, a robust judgement is not migrated smoothly when
is formed about the relative feeder systems are modified or
usefulness of both systems. While upgraded or transactions from a
each system may not flag all the specific system have been
same events, the firm is able to erroneously omitted from the
demonstrate that one approach transaction monitoring system.
produces better quality alerts
overall.
Page 8 of 30
FCA 2024/46
• A firm explores the use of new

approaches to automated
monitoring (e.g. network analysis
or machine learning). Consideration
is given to the limitations of these
approaches and how any resultant
risks can be contained. (For
example, it will not be clear to
operators of more free-form
varieties of machine learning why
the software has made its
recommendations, which can pose
ethical and audit challenges.)
• The firm tailors the monitoring • The firm uses a transaction

system rules to its business, risk monitoring system with set rules
and relevant typologies. The (which could include use of off-the-
system and rules are tested and shelf systems) and does not
reviewed for right outcomes calibrate these to the firms’
individual needs or review them
regularly for efficiency.
• The firm practices good record

keeping. For example, records of
decision making and rationales for
thresholds are documented and
accessible.
• Where a firm learns that criminals

have abused its facilities, a review
is performed to learn how
monitoring methods could be
improved to lessen the risk of
recurrence.
• The firm using an automated

system appropriately tests and
updates parameters to determine
whether a transaction is indicative
of potentially suspicious activity.
• A firm does not check that a

counterparty firm is monitoring
customer activity.
• A firm using an automated system • A firm using an automated system

keeps records of how the system lacks an understanding of what
has been trained. It records the the system is detecting and why.
process for making adjustments and This may be because of, for
example, staff turnover, poor
Page 9 of 30
FCA 2024/46
how the interpretable model can be documentation or weak

maintained. communication with the system’s
vendor.
See regulations 27, 28(11), 33 and 34 of the Money Laundering Regulations.
Case study – transaction monitoring
3.2.5B The FCA found that 3 key parts of HSBC’s transaction monitoring systems
showed serious weaknesses over an extended period of several years. The
systems were ineffective and not sufficiently risk sensitive for a prolonged
period. They exposed the bank and community to avoidable risks.
In particular, the bank failed to:
• consider whether the scenarios used to identify indicators of money
laundering or terrorist financing covered relevant risks;
• carry out timely risk assessments for new scenarios;
• appropriately test and update the parameters within the systems that were
used to determine whether a transaction was indicative of potentially
suspicious activity. There was a failure to understand those rules and certain
thresholds set made it almost impossible for the relevant scenarios to identify
potentially suspicious activity; and
• check the accuracy and completeness of the data being fed into, and
contained within, monitoring systems. This resulted in millions of
transactions worth billions of pounds that were either monitored incorrectly
or not at all.
The FCA imposed a financial penalty of £63,946,800.
See the FCA’s press release: www.fca.org.uk/news/press-releases/fca-fines-hsbc-
bank-plc-deficient-transaction-monitoring-controls.
Handling higher risk situations
3.2.7 …
The Money Laundering Regulations also set out some scenarios in which
specific enhanced due diligence measures have to be applied:
• Correspondent relationships: where a correspondent credit institution or

financial institution, involving the execution of payment, is outside the EEA
from a third country (see regulation 34 of the Money Laundering
Regulations), the UK credit or financial institution should apply both EDD
measures in regulation 33 as well as additional measures outlined in
regulation 34 commensurate to the risk of the relationship. This can include
in higher risk situations thoroughly understanding its correspondent’s
business, reputation, and the quality of its defences against money
laundering and terrorist financing. Senior management must also give
Page 10 of 30
FCA 2024/46
approval before establishing a new correspondent relationship. JMLSG

guidance sets out how firms should apply EDD in differing correspondent
trading relationships.
• Business relationships or a ‘relevant transaction’ where either party is

established in a high risk third country: the Money Laundering
Regulations defines:
(a) a high-risk third country as being one identified by the EU

Commission by a delegated act. See EU Regulation 2016/1675 (as
amended from time to time) as a country named by FATF on its list
of High-Risk Jurisdictions subject to a Call for Action or its list of
Jurisdictions under Increased Monitoring;
• Other transactions: EDD must be performed:
(b) in any other case which by its nature can present a higher risk of
money laundering, proliferation financing or terrorist financing. This
can include where there is evidence that a cryptoasset transaction has
involved privacy-enhancing techniques or products such as ‘mixers’
or ‘tumblers’, privacy coins and transactions involving the use of
self-hosted addresses, obfuscated ledger technology, ring signatures,
stealth addresses, ring confidential transactions, atomic swaps and
non-interactive zero knowledge proofs; and
(c) where findings from blockchain analysis indicates exposure to

criminal or sanctioned activities.
Customer payments
3.2.13 This section applies to banks subject to SYSC 6.3.

Interbank payments can be abused by criminals. International policymakers have
taken steps intended to increase the transparency of interbank payments, allowing
law enforcement agencies to more easily trace payments related to, for example,
drug trafficking or terrorism. The Funds Transfer Regulation requires Money
Laundering Regulations require banks to collect and attach information about
payers and payees of wire transfers (such as names and addresses, or, if a
payment moves within the EU, a unique identifier like an account number) to
payment messages. Banks are also required to check this information is present
on inbound payments, and chase missing data. The FCA has a legal responsibility
to supervise banks’ compliance with these requirements. Concerns have also
Page 11 of 30
FCA 2024/46
been raised about interbank transfers known as “cover payments” (see FCG
Annex 1) that can be abused to disguise funds’ origins. To address these
concerns, the SWIFT payment messaging system now allows originator and
beneficiary information to accompany these payments.
From 1 September 2023, similar obligations have applied for cryptoasset
transfers undertaken by cryptoasset businesses registered with the FCA under the
Money Laundering Regulations. This chapter may assist cryptoasset businesses
in implementing this requirement but they should also have regard to specific
expectations set out by the FCA. For further information, see
www.fca.org.uk/news/statements/fca-sets-out-expectations-uk-cryptoasset-
businesses-complying-travel-rule.
…
Case study – poor AML controls
3.2.14 …
See the FSA’s FCA’s press release for more information:
www.fsa.gov.uk/pages/Library/Communication/PR/2010/077.shtml
www.fca.org.uk/publication/final-notices/alpari.pdf.
Case study – poor AML controls: PEPs and high-risk customers
3.2.16 …
www.fsa.gov.uk/library/communication/pr/2012/032.shtml
www.fca.org.uk/publication/final-notices/coutts-mar12.pdf.
Poor AML controls: risk assessment
3.2.17 …
www.fsa.gov.uk/library/communication/pr/2012/055.shtml
www.fca.org.uk/publication/final-notices/habib-bank.pdf.
3.4 Sources of further information
3.4.1 To find out more on anti-money laundering, see:

…
• The latest UK National Risk Assessment of money laundering and
terrorist financing 2017 2020 -
https://www.gov.uk/government/publications/national-risk-assessment-
of-money-laundering-and-terrorist-financing-2017
Page 12 of 30
FCA 2024/46
www.gov.uk/government/publications/national-risk-assessment-of-
money-laundering-and-terrorist-financing-2020
…
3.4.2 To find out more on countering terrorist finance, see:

…
• The European Supervisory Authorities (ESAs) have published risk factors
guidelines under Articles 17 and 18(4) of Directive (EU)
2015/849- https://www.eba.europa.eu/-/esas-publish-aml-cft-guidelines
https://www.eba.europa.eu/sites/default/files/documents/10180/1890686/
66ec16d9-0c02-428b-a294-
ad1e3d659e70/Final%20Guidelines%20on%20Risk%20Factors%20%28J
C%202017%2037%29.pdf
…
3.4.3 To find out more on customer payments, see:

• JMLSG guidance (www.jmlsg.org.uk/guidance/current-guidance/):
o Sector 22 of Part II (Cryptoasset exchange providers and custodian
wallet providers) and Annex 22-I of Part II (Cryptoassets Transfers
(‘Travel Rule’)); and
o Chapter 1 of Part III (Transparency in electronic payments (Wire
transfers)) of the JMLSG’s guidance, which will be banks’ chief
source of guidance on this topic: www.jmlsg.org.uk.
…
• The Wolfsberg Group’s statement on payment standards:
https://www.wolfsberg-
principles.com/sites/default/files/wb/pdfs/wolfsberg-
standards/1.%20Wolfsberg-Payment-Transparency-Standards-October-
2017.pdf https://db.wolfsberg-group.org/assets/373dbb28-b518-4080-
82cc-
4be7a54aa16e/Wolfsberg%20Group%20Payment%20Transparency%20S
tandards%202023.pdf
• Joint Guidelines to prevent terrorist financing and money laundering in
electronic fund transfers- http://www.eba.europa.eu/-/esas-provide-
guidance-to-prevent-terrorist-financing-and-money-laundering-in-
electronic-fund-transfers
• The Funds Transfer Regulation (EU Regulation 847/2015 on information
on the payer accompanying transfers of funds):
http://data.europa.eu/eli/reg/2015/847/oj
• The Money Laundering Regulations
• FCA statement: www.fca.org.uk/news/statements/fca-sets-out-
expectations-uk-cryptoasset-businesses-complying-travel-rule
3.4.4 …
Page 13 of 30
FCA 2024/46
3.4.5 To find out more on proliferation financing, see:

• The UK National risk assessment of proliferation financing 2021:
assets.publishing.service.gov.uk/media/65a01397e96df50014f844fe/Risk
_assessment_of_proliferation_financing__1_.pdf
• FATF work on proliferation financing: www.fatf-
gafi.org/en/topics/proliferation-financing.html
4 Fraud
4.2 Themes
Preventing losses from fraud
4.2.1 …
• Enhanced due diligence is …

performed on higher risk customers
(e.g. commercial customers with
limited financial history. See ‘long
firm fraud’ in FCG Annex 1).
• Cryptoasset businesses pre-screen

outbound transactions for addresses
linked to fraud.
Enforcement action against mortgage brokers
4.2.4 Since the FSA began regulating mortgage brokers in October 2004, the FSA have
banned over 100 mortgage brokers. Breaches the FCA has identified as part of
enforcements actions against mortgage brokers have included:
…
The FSA have FCA has referred numerous cases to law enforcement, a number of
which have resulted in criminal convictions.
Page 14 of 30
FCA 2024/46
4.4.2 The list of other bodies engaged in counter-fraud activities is long, but more
information is available from:
…
• Fighting Fraud Action (FFA-UK) is responsible for leading the collective
fight against financial fraud on behalf of the UK payments industry,
https://www.financialfraudaction.org.uk/.
…
5 Data security
5.2 Themes
Controls
5.2.3 …
Effective cyber practices
5.2.3A Self-assessment questions:

• Are critical systems and data backed up, and do you test backup recovery
processes regularly?
• Are you able to restore services in the event of an incident?
• Are network and computer security systems, software and applications
kept up to date and regularly patched? Do you make sure your computer
network and information systems are configured to prevent unauthorised
access?
• How do you manage user and device credentials? Do you ensure that staff
use strong passwords when logging on to hardware and software? Are the
default administrator credentials for all devices changed?
• Is two-factor authentication used where the confidentiality of the data is
most crucial?
• How do you protect sensitive data that is stored or in transit? Do you use
encryption software to protect your critical information from unauthorised
access?
• Using weak or easy to guess

passwords or creating passwords
from familiar details.
Page 15 of 30
FCA 2024/46
• The firm carries out regular • Poor physical management and/or

vulnerability assessments and control of devices.
patching.
• The firm carries out regular • Not setting out appropriate user
security testing. privileges on access to resources on
the firm’s network, data storages or
applications.
• An application programming • Not encrypting data at storage or

interface (API) allows different between networks.
software to communicate with each
other and has security measures in
place.
• Not updating devices, software and

operating systems with the latest
security patches.
• Not properly vetting third-party

systems and vendors.
• Not employing multi-factor

authentication for devices, systems
and services.
• Insufficient staff training around

social engineering and vishing and
phishing campaigns.
• The firm is able to restore systems

following an incident and
restorations are done in a timely
manner.
• Inadequate controls to revoke

access for staff that leave the firm,
the role or the department.
Case study – protecting customers’ accounts from criminals
5.2.4 …
For more, see the FSA’s FCA’s press release:
www.fca.org.uk/news/press-releases/fsa-fines-norwich-union-life-
%C2%A3126m-exposing-its-customers-risk-fraud
Case study – data security failings
Page 16 of 30
FCA 2024/46
5.2.5 …
The FSA’s FCA’s press release has more details:
www.fca.org.uk/news/press-releases/fsa-fines-zurich-insurance-
%C2%A32275000-following-loss-46000-policy-holders-personal
5.4.1 To find out more, see:

• the website of the Information Commissioner’s Office: www.ico.org.uk.
• National Cyber Security Centre, 10 Steps to Cyber Security:
www.ncsc.gov.uk/collection/10-steps/data-security.
• National Cyber Security Centre, Cyber Security Toolkit for Boards:
www.ncsc.gov.uk/collection/board-toolkit/introduction-to-cyber-security-
for-board-members.
6 Bribery and corruption
6.2 Themes
Case study – corruption risk
6.2.5 In January 2009, Aon Limited, an insurance intermediary based in the UK, was
fined £5.25m for failures in its anti-bribery systems and controls.
The firm made suspicious payments totalling $7m to overseas firms and
individuals who helped generate business in higher risk jurisdictions. Weak
controls surrounding these payments to third parties meant the firm failed to
question their nature and purpose when it ought to have been reasonably obvious
to it that there was a significant corruption risk.
• Aon Limited failed properly to assess the risks involved in its dealings
with overseas third parties and implement effective controls to mitigate
those risks.
• Its payment procedures did not require adequate levels of due diligence to
be carried out.
• Its authorisation process did not take into account the higher levels of risk
to which certain parts of its business were exposed in the countries in
which they operated.
• After establishment, neither relationships nor payments were routinely
reviewed or monitored.
Page 17 of 30
FCA 2024/46
• Aon Limited did not provide relevant staff with sufficient guidance or
training on the bribery and corruption risks involved in dealings with
overseas third parties.
• It failed to ensure that the committees it appointed to oversee these risks
received relevant management information or routinely assessed whether
bribery and corruption risks were being managed effectively.
See the FSA’s press release:
In 2020, the FCA and the PRA fined Goldman Sachs International a total of
£96.6m (US$126m) for risk management failures connected to a Malaysian
development company (‘the company’) and its role in 3 fundraising transactions
for the company.
The bank failed to assess and manage risk to the standard that was required given
the high-risk profile of the transactions and failed to assess risk factors on a
sufficiently holistic basis. The bank also failed to address allegations of bribery in
2013 and failed to manage allegations of misconduct in connection with the
company in 2015.
The bank breached a number of FCA and PRA principles and rules. In particular,
the bank failed to:
• assess with due skill, care and diligence the risk factors that arose in each of
the bond transactions on a sufficiently holistic basis;
• assess and manage the risk of the involvement in the bond transactions of a
third party about which the bank had serious concerns;
• exercise due skill, care and diligence when managing allegations of bribery
and misconduct in connection with the company and the third bond
transaction; and
• record in sufficient detail the assessment and management of risk associated
with the company bond transactions.
See the FCA’s press release: www.fca.org.uk/news/press-releases/fca-pra-fine-
goldman-sachs-international-risk-management-failures-1mdb.
Case study – inadequate anti-bribery and corruption systems and controls
6.2.6 …
See the FSA’s FCA’s press release:
www.fca.org.uk/news/press-releases/fsa-fines-willis-limited-%C2%A36895-
million-anti-bribery-and-corruption-systems-and.
Case study – third parties
6.2.7 In 2022, the FCA fined JLT Speciality Limited £7,881,700 for financial crime
control failings, which in one instance allowed bribery of over $3m to take place.
The firm failed to consider whether additional safeguards or approvals should be
incorporated into processes in respect to overseas introducers engaged by another
Page 18 of 30
FCA 2024/46
group entity, where the introduced business was placed by the firm in the London
market. Among other issues, the firm’s third-party risk assessments failed to:
• ensure that information held by employees who were either involved in
negotiating the relationship with the third party or placing the business in the
London market, including potential red flags, was brought to the attention of
the company’s ‘know your customer’ subcommittee or its financial crime
team;
• ensure that the other entity disclosed all material information about the third
party to the financial crime team for review, consideration and action as
necessary; and
• consider whether additional monitoring and oversight of third parties, in
accordance with the firm’s process, was appropriate.
See the FCA’s press release: www.fca.org.uk/news/press-releases/jlt-specialty-
limited-fined-7.8m-pounds-financial-crime-control-failings.
6.4.1 To find out more, see:

…
• The Ministry of Justice’s guidance about procedures which relevant
commercial organisations can put into place to prevent persons associated
with them from bribing:
https://www.justice.gov.uk/downloads/legislation/bribery-act-2010-
guidance.pdf
https://assets.publishing.service.gov.uk/media/5d80cfc3ed915d51e9aff85a
/bribery-act-2010-guidance.pdf (full version)
https://www.justice.gov.uk/downloads/legislation/bribery-act-2010-quick-
start-guide.pdf
https://assets.publishing.service.gov.uk/media/5d80cfd5ed915d5257b5b69
3/bribery-act-2010-quick-start-guide.pdf (quick start guide)
…
7 Sanctions and, asset freezes and proliferation financing
7.1 Introduction
7.1.1 Who should read this chapter? All firms are required to comply with the UK’s
UK financial sanctions regime. The FCA’s role is to ensure that the firms it
supervises have adequate systems and controls to do so. As such, this chapter
applies to all firms subject to the financial crime rules in SYSC 3.2.6R or SYSC
6.1.1R. It also applies to e-money institutions and payment institutions and
the cryptoasset sector within our supervisory scope.
7.1.2 Firms’ systems and controls should also address, where relevant, the risks they
face from weapons proliferators, although these risks will be very low for the
majority of FSA-supervised FCA-supervised firms. FCG 7.2.5G, which looks at
Page 19 of 30
FCA 2024/46
weapons proliferation, applies to banks carrying out trade finance business and
those engaged in other activities, such as project finance and insurance, for
whom the risks are greatest all firms subject to our supervision.
7.1.5 All individuals and legal entities who are within or undertake activities within the
UK’s territory must comply with the EU and UK financial sanctions that are in
force. All UK nationals and UK legal entities established under UK law,
including their branches, must also comply with UK financial sanctions that are in
force, irrespective of where their activities take place.
Under Principle 11 (PRIN 2.1.1R), we expect authorised firms to notify us if they
(or their group companies, approved persons, senior management functions,
appointed representatives and agents) are targets of UK sanctions or those of
any other country or jurisdiction.
For firms such as electronic money institutions, payment services firms,
cryptoasset businesses and Annex I financial institutions, this is regarded as a
material change of circumstance and we expect to be informed if you or any
connected entities are targets of UK sanctions or those of any other country or
jurisdiction.
7.1.5A The Office of Financial Sanctions (OFSI) within the Treasury helps to ensure that
financial sanctions are properly understood, implemented and enforced in the
United Kingdom. HM Government publishes the UK Sanctions List, which
provides details of those designated under regulations made under the Sanctions
and Anti-Money Laundering Act. The list also details which sanctions measures
apply to these persons or ships. OFSI maintains a Consolidated List of financial
sanctions targets designated by the United Nations, the European Union and the
United Kingdom, which is available from its website. If firms become aware of a
breach, they must notify OFSI in accordance with the relevant provisions. OFSI
have published guidance on complying with UK obligations and this is available
on their website. See https://www.gov.uk/government/publications/financial-
sanctions-faqs.
Firms should also consider whether they should report sanctions breaches to the
FCA. SUP 15.3 contains general notification requirements. Firms are required to
tell us, for example, about significant rule breaches (see SUP 15.3.11R(1)). Firms
should therefore consider whether a sanctions breach is the result of any matter
within the scope of SUP 15.3 – for example, a significant failure in their financial
crime systems and controls.
7.2 Themes
7.2.-1 The guidance set out in FCG 2.2 (Themes) and FCG 2.3 (Further guidance) also
applies to sanctions.
Governance
Page 20 of 30
FCA 2024/46
7.2.1 The guidance in FCG 2.2.1G on governance in relation to financial crime also
applies to sanctions.
Senior management should be sufficiently aware of the firm’s obligations
regarding financial sanctions to enable them to discharge their functions
effectively. We expect senior management to take clear responsibility for
managing sanctions risks, which should be treated in the same manner as other
risks faced by the business. There should be evidence that senior management are
actively engaged in the firm’s approach to addressing the risks of non-compliance
with UK financial sanctions. Where they identify gaps, they should remediate
them.
…
• How does the firm monitor performance? (For example, statistical or
narrative reports on matches or breaches.)
• How are senior management kept up to date with sanctions compliance
issues?
• Does the firm’s organisational structure with respect to sanctions
compliance across different jurisdictions promote a coordinated
approach and accountability?
• Does the firm have evidence that sanctions issues are escalated where
warranted?
• Where sanctions controls processes rely on resource external to the firm,
is there appropriate oversight and understanding of that resource?
• An individual of sufficient • The firm believes payments to

authority is responsible for sanctioned individuals and entities
overseeing the firm’s adherence to are permitted when the sums are
the UK sanctions regime. small. Without a licence from the
Asset Freezing Unit OFSI, this
could be a criminal offence.
• Multinational firms lack the

communication between global
and regional sanctions teams
necessary to manage compliance
with UK sanctions laws,
regulations and guidance.
The offence will depend on the sanctions provisions breached.
Page 21 of 30
FCA 2024/46
Management information (MI)
7.2.1A The guidance in FCG 2.2.2G on MI in relation to financial crime also applies to
sanctions.
Senior management should be sufficiently aware of the firm’s obligations
regarding sanctions to enable them to discharge their functions effectively.
• How does your firm monitor performance? (For example, statistical or
narrative reports on matches or breaches.)
• Does regular and ad hoc MI provide senior management with a clear
understanding of the firm’s sanctions compliance risk?
• Is the MI produced relevant to UK sanctions?
Risk assessment
7.2.2 The guidance in FCG 2.2.4G on risk assessment in relation to financial crime also
applies to sanctions and proliferation financing (PF) (see 7.2.5G for PF).
A firm should consider which areas of its business;
• are most likely to provide services or resources to individuals or entities
on the Consolidated List.;
• are owned and controlled by individuals or entities on the Consolidated
List;
• engage in services or transactions prohibited under UK financial
sanctions; or
• rely on prohibited suppliers, intermediaries or counterparties.
• Does your firm have a clear view on where within the firm breaches
potential sanctions breaches are most likely to occur? (This may cover
different business lines, sales channels, customer types, geographical
locations, etc.)
• How is the risk assessment kept up to date, particularly after the firm
enters a new jurisdiction, introduces a new product or where it has
identified new sanctions risk events?
• Has senior management set a clear risk appetite in relation to its
sanctions risks, including in its exposure to sanctioned persons, activities
and jurisdictions?
• Does your firm have established risk metrics to help detect and manage
its sanctions compliance exposure on an ongoing basis?
• Are there established procedures to identify and escalate new sanctions
risk events, such as new sanctions regimes, sanctioned activities and
evasion typologies?
Page 22 of 30
FCA 2024/46
• Is your firm utilising available guidance and resources on new and

emerging sanctions evasion typologies?
• A small firm is aware of sanctions …

regime and where it is most
vulnerable, even if risk assessment
is only informal.
• The firm conducts contingency

planning, taking a proactive
approach to identifying sanctions
exposure and is conducting
exposure assessments and scenario
planning. The firm updates
business-wide and customer risk
assessments to account for
changes in the nature and type of
sanctions measures.
• The firm performs lessons learned

exercises following material
sanctions developments to improve
its readiness to respond to future
events.
• The firm engages with public-

private partnerships and private-
private partnerships to gather
insights on the latest typologies and
additional controls that might be
relevant and share its own best
practice examples.
Customer due diligence checks
7.2.2A As well as being relevant to other financial crime controls, effective customer due
diligence (CDD) and know your customer (KYC) assessments are a cornerstone
of effective compliance with sanctions requirements.
Page 23 of 30
FCA 2024/46
• Sanctions risk is proactively • The firm has low-quality CDD and

included into the firm’s CDD KYC assessments and review
process. backlogs, raising the risk of not
identifying sanctioned individuals
and entities.
• The firm’s CDD identifies all • The firm’s CDD processes are
parties relevant for its screening unable to identify connected
processes. parties and corporate structures that
may be subject to sanctions.
• The firm’s customer onboarding • The firm’s CDD does not

and due diligence processes are articulate full ownership structures
designed to identify customers of entities and the firm is unable to
who make use of corporate show that it is screening all relevant
vehicles to obscure ownership or parties.
source of funds.
• The firm has processes designed

to identify activity that is not in
line with the customer profile or
is otherwise suspicious.
7.2.2B Further guidance on good and bad practice relating to CDD checks can be found
in FCG 3.2.4G.
Screening customers against sanctions lists, counterparties and payments
7.2.3 A firm should have effective, up-to-date screening systems appropriate to the
nature, size and risk of its business. Although screening itself is not a legal
requirement, screening new customers, counterparties to transactions and
payments against the Consolidated List, and screening existing customers when
new names are added to the list, helps to ensure that firms will not breach the UK
sanctions regime. (Some firms may knowingly continue to retain customers who
are listed under UK sanctions: this is permitted if OFSI has granted a licence.)
…
• How does the firm become aware of changes to the Consolidated List?
(Are there manual or automated systems? Are customer lists rescreened
after each update is issued?)
• Does your firm have a clear policy on which customers, counterparties
and payments are subject to screening, and what related data is subject to
screening?
• Does your firm have service level agreements that cover how quickly it
updates its sanctions screening lists following updates to the Consolidated
List and that are appropriate to the sanctions risks of its business?
Page 24 of 30
FCA 2024/46
• Does your firm evaluate its screening capabilities so that its screening
system is adequately calibrated for its needs and to monitor UK sanctions?
Do you regularly test/measure the effectiveness of the system?
• Is the team responsible for sanctions compliance properly resourced and
skilled to effectively perform sanctions screening and alert
management?
• If using an outsourced service, does your firm have appropriate control
and oversight of its sanctions screening controls?
• There are quality control checks …

over manual screening.
• The firm understands its • Calibration is not adequately

automated screening tool and how tailored and the system is either
it is calibrated, and is able to too sensitive or not sensitive
demonstrate that it is appropriate to enough. This may result in name
the firm’s risk exposure. variations not being detected, for
example.
• The firm is able to show the • There is limited or no

controls in place to measure the understanding by the firm about
effectiveness of its automated how a third-party tool is calibrated
system, thresholds and parameters and when lists are updated.
– for instance, with sample testing
and tuning.
• Where a firm uses automated …

systems, these can make ‘fuzzy
matches’ (e.g. able to identify
similar or variant spellings of
names, name reversal, digit
rotation, character manipulation,
etc.). The firm continually seeks
ways to enhance the system to help
identify potential sanctions
breaches.
• Where the firm maintains an …

account for a listed individual or
entity, the status of this account
is clearly flagged to staff.
Page 25 of 30
FCA 2024/46
• A firm only places faith in relies on • The firm is overly reliant on a

other firms’ screening (such as third-party provider screening
outsourcers or intermediaries) after solution, with no oversight. The
taking steps to satisfy themselves firm has no means of monitoring
itself this is appropriate. payment instructions.
• The screening tool is calibrated

and tailored to the firm’s risk and
is appropriate for screening UK
sanctions. Customers and their
transactions are screened against
relevant updated sanctions lists and
effective re-screening is in place to
identify activity that may indicate
sanctions breaches.
• Where blockchain analytics

solutions are deployed, the firm
ensures that compliance teams
understand how these capabilities
can be best used to identify
transactions linked to higher risk
wallet addresses, including those
included on the Consolidated
List.
• The firm’s sanctions teams are • The firm lacks proper resources
adequately resourced to avoid and expertise to ensure effective
backlogs in sanctions screening and screening and investigation of
are able to react to those at pace. alerts. It has significant backlogs
and faces the risk of non-
compliance with its obligations.
• Increased volumes and pressure on

sanctions teams following changes
in the sanctions landscape
prevent firms from taking
appropriate and timely action for
true positive alerts and increase the
risk of errors. There is a lack of
clarity around prioritisation of
alerts, internal service level
agreements and governance.
Evasion detection and investigation
7.2.3A A firm should have effective, up-to-date screening systems appropriate to the
nature, size and risk of its business. However, simple screening of names against
the Consolidated List may not always identify potential sanctions evasion
Page 26 of 30
FCA 2024/46
involving third parties and alternative detection techniques may be needed.

Potential red flags for sanctions evasion are set out in alerts issued by the
National Economic Crime Centre (NECC).
• Does your firm understand potential sanctions evasion typologies relevant
to its business and has it considered how to detect them?
• Has your firm considered whether additional procedures are needed to
identify potential sanctions evasion?
• The firm is using techniques, such

as data analytics, to identify
customers who may be close
associates or dependents or have
transactional links with designated
persons, and so may represent a
higher risk of sanctions non-
compliance.
Asset freezing and licenses
7.2.3B When a financial sanction is an asset freeze, the funds and economic resources
belonging to or owned, held or controlled by a designated person are generally to
be frozen immediately by the person in possession or control of them, unless
there is an exception in the legislation they can rely on, or they have a licence
from OFSI.
• Does your firm have clear policies and procedures as to when funds and
economic resources are frozen or released?
• Have you assessed how any frozen funds and economic resources in your
firm’s possession or control are maintained in compliance with UK
sanctions?
• Does your firm have clear policies and procedures to assess, utilise and
monitor the use of OFSI licences and statutory exceptions?
Reporting and assessing potential sanctions breaches
7.2.3C Relevant firms are required to report to OFSI where they know or have reasonable
cause to suspect a breach of financial sanctions, and notify OFSI if:
• a person they are dealing with, directly or indirectly, is a designated person;
• they hold any frozen assets; or
• they discover or suspect any breach while conducting their business.
Page 27 of 30
FCA 2024/46
In line with Principle 11, SUP 15.3.8G(2) and FCG 7, firms must consider
whether they need to notify us – for example, whether potential breaches of
sanctions resulted from a significant failure in their systems and controls.
• Is there a clear procedure that sets out what to do if a potential sanctions
breach is identified? (This might cover, for example, alerting senior
management, OFSI and the FCA, and giving consideration to whether to
submit a Suspicious Activity Report).
• Does your firm consider the root causes of any potential sanctions
breaches and consider the implications for its policies and procedures?
• The firm undertakes a root cause The firm does not report a breach of
analysis of potential sanctions financial sanctions to OFSI when
breaches and uses them to update required to do so. This could be a
its sanctions controls. criminal offence.
• After a breach, as well as meeting

its formal obligation to notify
OFSI, the firm reports the breach
to the FCA. SUP 15.3 contains
general notification requirements.
Firms are required to tell us about
significant rule breaches (see SUP
15.3.11R(1)), such as a significant
failure in their financial crime
• Significant deficiencies in the

firm’s systems and controls
resulting in potential sanctions
breaches are reported to the FCA.
Weapons proliferation
7.2.5 Alongside financial sanctions, the government imposes controls on certain types
of trade in order to achieve foreign policy objectives. The export of goods and
services for use in nuclear, radiological, chemical or biological weapons
programmes is subject to strict controls. Firms’ systems and controls and policies
and procedures should address and mitigate the proliferation risks they face.
Firms are also required to carry out proliferation financing risk assessments under
regulation 18A of the Money Laundering Regulations, either as part of the
existing practice-wide risk assessment or as a standalone document.
Page 28 of 30
FCA 2024/46
7.3 Further guidance
7.3.1 FCTR contains the following additional material on sanctions and assets freezes:
• FCTR 8 summarises the findings of the FSA’s FCA’s thematic review
Financial of financial services firms’ approach to UK financial sanctions
and includes guidance on:
…
7.4.1 To find out more on financial sanctions, see:

…
• Part III of the Joint Money Laundering Steering Group’s guidance, which
is a chief source of guidance for firms on this topic: www.jmlsg.org.uk
• OFSI UK Financial Sanctions Guidance:
www.gov.uk/government/publications/financial-sanctions-general-
guidance/uk-financial-sanctions-general-guidance
• Alerts published by the NECC: www.nationalcrimeagency.gov.uk/who-
we-are/publications/
• FCA sanctions webpages – these pages include our latest updates and
details on how to report sanctions breaches to us:
o www.fca.org.uk/russian-invasion-ukraine
o www.fca.org.uk/firms/financial-crime/financial-sanctions
7.4.2 To find out more on trade sanctions and proliferation, see:

…
• The NCA’s website, which contains guidelines on how to report
suspicions related to weapons proliferation:
http://www.nationalcrimeagency.gov.uk/publications/suspicious-activity-
reports-sars/57-sar-guidance-notes
www.nationalcrimeagency.gov.uk/who-we-are/publications/171-sar-
guidance-notes/file
• The FATF website. In June 2008, FATF launched a ‘Proliferation
Financing Report’ that includes case studies of past proliferation cases,
including some involving UK banks. This was followed up with a report
in February 2010:
https://www.fatf-
gafi.org/media/fatf/documents/reports/Typologies%20Report%20on%20P
roliferation%20Financing.pdf.
Page 29 of 30
FCA 2024/46
http://www.fatf-gafi.org/media/fatf/documents/reports/Status-report-
proliferation-financing.pdf.
• The FATF guidance on proliferation financing:
o www.fatf-gafi.org/content/dam/fatf-
gafi/reports/Typologies%20Report%20on%20Proliferation%20Fina
ncing.pdf
o www.fatf-
gafi.org/en/publications/Financingofproliferation/Proliferation-
financing-risk-assessment-mitigation.html
• HM Government’s website, which includes the National Risk Assessment
of Proliferation Financing: www.ncsc.gov.uk/collection/board-
toolkit/introduction-to-cyber-security-for-board-members
• The Office of Trade Sanctions Implementation (OTSI) helps to ensure that
trade sanctions are properly understood, implemented and enforced. OTSI
has published guidance regarding trade sanctions, and this is available on
its website: www.gov.uk/otsi
Annex Common terms
Annex 1 Common terms
Annex 1 …
Term Meaning
Data Protection Act …

1998 (DPA)
ECCTA The Economic Crime and Corporate Transparency Act

2023
Page 30 of 30
Pub ref: 1-008343
© Financial Conduct Authority 2024

12 Endeavour Square London E20 1JN
Telephone: +44 (0)20 7066 1000
Website: www.fca.org.uk
All rights reserved

Financial_Crime_Guide

Uploaded by

Copyright:

Available Formats

Financial_Crime_Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Financial_Crime_Guide

Uploaded by

Copyright:

Available Formats

Policy Statement

Financial Crime Guide Changes

Sign up for our news and publications alerts

Public Consultation on Proposed Changes

Our Response to the Feedback

• An overview of the consultation process.

• All FCA financial crime supervised firms.

The wider context of this policy statement

Focus and scope of proposed changes

Alignment with our objectives

• International competitiveness and growth

– Financial crime imposes significant costs across the economy. It harms

What we are changing

2.12 Cryptoasset Businesses: Cryptoasset businesses registered under the Money

2.15 Please refer to the final guidance as set out in Annex 1.

Outcomes we are seeking

• Firms to have read and understood the changes.

Summary of feedback and our response

2.22 Transaction Monitoring: Feedback on TM was positive. Respondents welcomed

2.23 Cryptoasset businesses: Firms supported the inclusion of cryptoasset businesses

2.27 For future updates to the Guide, some respondents requested:

Equality and diversity considerations

What you need to do next

What we will do next

Feedback on Proposed Draft Guidance: CP24/9

We have updated the terminology in the sanctions chapter for clarity

Proliferation Financing (PF)

We carefully considered the proposal to separate PF from the wider

Transaction Monitoring (TM)

3.9 Some respondents suggested we consider creating a sub-chapter for cryptoasset

The Consumer Duty

• Adding a good practice example on firms’ ability to restore systems following an

Data and Information Sharing

Technology, Artificial Intelligence and Machine Learning

Politically Exposed Persons (PEPs)

3.31 We have incorporated a reference to Money Laundering and Terrorist Financing

Feedback: Unintended Consequences, Equality and Diversity

Question 3: Do you foresee any unintended consequences from the

A small number of respondents expressed concerns about aligning the

3.34 In CP24/9 we asked:

We received a small number of responses about our Cost Benefit Analysis

3.35 In CP24/9 we asked:

Question 5: Do you agree with the comments on the assessment of the

Alastair Cookson, Director - Redline Capital (UK) Limited

API Compliance Ltd

The Association of Professional Compliance Consultants

Brian Swainston, Deputy MLRO – Fidelity International

Debt Managers Standards Association Ltd (DEMSA)

Finance and Leasing Association

The Investing and Saving Alliance (TISA)

Joshua Tjeransen, International Consultant (Proliferation Finance) – United Nations

Marilyne Ordekian, PhD Candidate – Computer Science, University College London

Nottingham Building Society

Odyssey Pensions Limited

Venkatesh Balasubramaniam, CAMS, CFCS, Consulting Partner –

AML Anti-Money Laundering

APP Fraud Authorised Push Payment Fraud

CDD Customer Due Diligence

CTF Counter Terrorist Financing

ECCTA Economic Crime and Corporate Transparency Act 2023