Jonathan Marsh Hunton & Williams LLP Fraud Risk Management: The FSA’s Expectations

Overview  Where is the FSA coming from?  What are the FSA’s expectations?  Dealing with the aftermath

The FSA’s regulatory objectives – s.2 FSMA  Market confidence  Public awareness  Consumer protection  Reduction of financial crime

The reduction of financial crime objective – s.6 FSMA  Reducing the extent to which regulated persons and businesses in breach of the general prohibition can be used for a purpose connected with financial crime  Financial crime is any offence involving:  Fraud or dishonesty  Market abuse  Money laundering

The reduction of financial crime objective – s.6 FSMA  Being aware of the risk of their businesses being used in connection with the commission of financial crime  Taking appropriate measures (in relation to their administration and employment practices, the conduct of transactions by them and otherwise) to prevent financial crime, facilitate its detection and monitor its incidence  Devoting adequate resources to prevention, detection and monitoring The FSA must, in particular, have regard to the desirability of regulated persons:

An increased focus  October 2004: Philip Robinson speech – the FSA’s new approach to fraud – fighting fraud in partnership  February 2006: Firm’s High Level Management of Fraud Risk  March 2006: Capita Financial Administrators Limited

Fighting fraud in partnership: key messages  strong anti-fraud culture led from the top  clear allocation of responsibility for fraud risk management  staff training  KYC procedures  capture and use of management information on fraud The FSA will pay “more attention to firm’s arrangements for managing their fraud risks”

Firm’s High Level Management of Fraud Risk - Governance  High level sponsorship of fraud management at executive level  Boards/board committees receive fraud reports but not expected to have direct involvement in formulation and monitoring of anti-fraud initiatives  Development and monitoring of fraud strategies typically the responsibility of high-level management committees e.g. risk committee or fraud “steering groups”  Approval of anti-fraud strategies and plans was sometimes informal and director level accountability for delivery of strategies and plans was unclear

Firm’s High Level Management of Fraud Risk – Roles, Responsibilities and Resources  High risk organisation (e.g. retail banks, insurers) – generally well defined anti-fraud roles and responsibilities  Lower risk organisations (e.g. investment banks, asset managers) – reliance on control procedures not specifically labelled as anti-fraud measures  The FSA’s view: without formal, integrated anti-fraud responsibilities and structures, anti-fraud initiatives may be difficult to sustain on an ongoing basis  Favourable comment on a “hub and spoke” model with a central team coordinating anti-fraud activity and dissemination of best practice

Firm’s High Level Management of Fraud Risk – Fraud Data and Reporting  Accurate and detailed fraud data and analysis necessary to assess where and why there is a fraud risk  Systems and controls should be capable of detecting fraud risk at an early stage  Role of trade associations in collecting and sharing fraud related data

Firm’s High Level Management of Fraud Risk – Risk Assessment and Risk Appetite  Generally fraud risk was reported and reviewed within operational risk management reporting channels  Lack of formal fraud risk assessment processes beyond those required for operational risk purposes  Firms need to assess the fraud risk that they are exposed to (e.g. mispricing in the derivatives sector) and ensure that appropriate controls are in place to mitigate this risk  Allocation of anti fraud resources was generally not driven by a clear cost benefit or risk appetite analysis

Firm’s High Level Management of Fraud Risk – Business Engagement, Systems and Controls  Investment in systems and controls and a focus on robust anti-fraud operational processes is key to risk mitigation  Fraud threats are dynamic and the ability to meet emerging fraud threats depends on good analytics in a firm’s anti-fraud operations  Focused management of internal (staff) fraud risk  Enhanced vetting  High profile arrests  Communication and awareness  Focused management of fraud risk in product design – fraud risk identification should take place at an early stage

Firm’s High Level Management of Fraud Risk – Recruitment  Insider fraud (coercion, collusion, infiltration or employee’s own initiatives) considered to be one of the most serious fraud threats faced by financial institutions  Enhanced vetting procedures e.g. use of specialist agencies to conduct pre-employment screening with varying levels of screening depending on seniority  Vetting key suppliers and insisting on agreed standards of employee screening which will be checked by random, unannounced visits  Insider profiling – working with the police to compare new recruits against insider profiles

Firm’s High Level Management of Fraud Risk – Anti-Fraud Training Varying approaches to staff training  Generally fraud awareness training given to new staff as part of induction  Newsletters or staff alerts  Computer-based training packages  Training predicated on “red flag” recognition  Good practice guidelines supported by tailored training on a divisional basis

Firm’s High Level Management of Fraud Risk – Resources for Tackling Fraud  Increase in the size of dedicated anti-fraud teams and staff  Increase in awareness of financial crime and fraud risk  High hurdle rates applied to proposals for anti-fraud investment and financial considerations outweighed qualitative concerns such as reputational risk

Firm’s High Level Management of Fraud Risk – Fraud Investigations  In larger firms responsibility for significant or complex fraud investigations was delegated to specialist departments  At other firms responsibility given to corporate security or audit  Varying degrees of sophistication e.g. some fraud investigation units able to conduct investigations to criminal investigation standards (including computer forensics)  Increase threat of e-fraud makes investigation more difficult  Use of “post-mortems” to improve risk mitigation

Firm’s High Level Management of Fraud Risk – External Liaison and Communication  Increased industry cooperation and strong support within firms for this but more needs to be done to share data and information on the perpetrators of fraud

Firm’s High Level Management of Fraud Risk – Educating Consumers  Tension between implementation of anti-fraud measures and customer convenience  The degree to which customer experience is expected to be negatively affected by an anti-fraud initiative was found to be a key factor in determining whether to proceed with the initiative

FSA Enforcement Action: Capita Financial Administrators Limited £300,000 fine for breaches of:  Principle 2: failing to act with due skill, care and diligence in considering the risks posed by financial crime  Principle 3: failing to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems  SYSC 3.2.6R: failing to take reasonable care to maintain effective systems and controls to counter the risk that the firm might be used to further financial crime.

FSA Enforcement Action: Capita Financial Administrators Limited  Inadequate assessment of fraud risk, especially the risk of internal fraud  Should have assessed the adequacy of existing controls and considered additional controls to mitigate any risks identified  Inadequate response to discovery of fraud: although an investigation committee was set up, it focused on the specific circumstances of the fraud rather than a wider review of fraud risks

Dealing with the aftermath  Alert senior management / the board  Investigation of (a) specific circumstances and (b) wider fraud risks  Appoint appropriate individuals to investigation team  Consider whether use of external consultant is appropriate  Establish timetable and objectives  Consider key legal issues  Asset recovery  Accessing personal data  Suspension / dismissal  Whether or not to provide documents to FSA voluntarily  Privilege  Money laundering reporting obligation  Corrective action / remedial plan  Insurance issues  Notifying FSA

Conclusions  Recognise importance of fraud risk management to the FSA and react accordingly  Senior management needs to be engaged  Formal fraud risk assessment process and appropriate controls to deal with identified risks  Clearly defined allocation of responsibilities for fraud risk management  Adequate resources  Adequate investment in systems and controls which are capable of early detection  Capture and use management information on fraud  Ensure threat of both internal and external fraud is assessed and dealt with  Anti-fraud training  Development of fraud investigation plan