Financial Crime FAQ’s
The questions below represent some of the most common queries firms have regarding financial crime prevention.
What is the difference between Financial Crime and AML?
AML focuses on anti-money laundering and refers to the controls a firm should have in pace to stop criminals laundering money through their accounts. Financial crime is wider than this, it covers AML, but also includes controls to prevent terrorist financing, fraud, sanctions and bribery. Firms are legally required to have controls in place that cover all of this.
What are the legal obligations regarding Financial Crime Prevention?
Financial services firms are legally required to have controls in place to mitigate the risks relating to financial crime. These legal obligations are laid out in a wide variety of legislation such as the Proceeds of Crime Act, the Terrorism Act, the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, the Bribery Act, the Fraud act as well as a number of sanctions related acts. The requirements are wide reaching and complex and firms can be subject to severe enforcement action if they get it wrong.
Who regulates firms for Financial Crime Prevention?
For the majority of firms, the official regulator will be the UK Financial Conduct Authority. They will oversee every firm they regulate to ensure they adhere to their legal obligations. In some instances, HMRC will regulate certain firms (depending on their business model). Regulators do publish guidance on how to meet the requirements and in the event of an audit, would be looking for firms to follow those standard. However, it should be noted that for many firms, their regulator is their bank/liquidity provider, who have a keen oversight into a firm’s controls. They can be just as demanding as official regulators; however, they do not publish guidance into their requirements
My bank has asked me to get an AML audit, what will they be looking for?
Banks frequently ask firms to have an external party conduct an independent audit of their anti-money laundering controls. They will also want to see the final report if any audit conducted. Typically, banks will want to see a review of the documented policies and procedures followed by an onsite inspection to see if what is written down, reflects what actually happens. An audit should focus on KYC procedures, Transaction Monitoring, Suspicious Activity Reporting and the risk-based approach.
What does good look like?
Firms that do well in any financial crime related audits, do so because they have embraced the principles of the risk-based approach, assessed the risks they face, understood the various regulatory guidance and factored all of this into their controls to create a good financial crime prevention framework.
What makes a good framework?
In order to have a good framework, a firm should first decide who is responsible for implementing it. Once done, a firm should conduct a business wide risk assessment to assess the risks that it faces and understand the types of controls that it will need to implement. The controls will focus on Customer Due Diligence, which is broken into KYC procedures when onboarding a client, and ongoing monitoring; including transaction monitoring. In addition to this, there is suspicious activity reporting, record keeping, training and management oversight.
Is AML Training mandatory?
Yes. It is a legal requirement to provide AML training to employees. This should cover key areas such as applicable legislation and indicators or suspicious activity. Whilst there is no specific requirement to conduct training in other area of financial crime, it is recommended that this is provided.
What are sanctions?
Sanctions are tools used by governments around the world to cut economic support to person(s) who commit or mean to commit human rights abuses or terrorist acts. Contrary to popular belief, sanctions are not aimed at countries themselves, but people, organisations and industries within those countries. Although it should be noted that some countries have so many sanctions in them, they may as well be sanctioned. There are many sanctions lists around the world, with the main ones being HMT (in the UK), OFAC (in the USA), the EU and the UN.
How can I keep up to date with the legal and regulatory requirements?
Keeping on top of legal and regulatory developments can be challenging. Firms are advised to reach out to third parties, who offer such updates and can provide them with practical summary guidance as to what any change can mean for them.
What happens if things go wrong?
The penalties for getting this wrong can be quite severe. Where a regulator considers controls to be insufficient, they can levy hefty fines or even remove a firm’s permissions to trade. Banks can close business accounts with zero notice, even though they are vital for the operation of any firm. In serious cases, law enforcement agencies can be involved, which can lead to prison sentences and unlimited fines on individuals.
Payment Service Regulations FAQs
The questions below represent some of the most common queries firms have regarding the rules and regulations on Payment Services and EMoney
How do I know if I need a Payment Service licence?
There are many services offered in and around payments, with many focusing on the financial technology (fin-tech) aspect. Whether a firm needs a licence or not depends greatly on what happens with the funds involved. Put simply, if you take funds from one party and then pass it onto another then you will likely need a payment service licence.
What type of Payment Service permission would I need?
A Payment Service licence is broken down into several permissions, which are listed below. The licence you need depends on your business model.
|Money Remittance||The most basic type of permission required for single money transfers from one party to another and where the customer is the person paying the funds. Frequently used in Deliverable FX which involves a person making a currency conversion to pay a third party overseas. Firms operating in the Fin-tech space will not use this Permission as it does not meet their needs. Such firms will require a combination of the remaining permissions|
|Acquiring Payment Transactions||Mainly used for merchant acquiring, helping shops to take payments from their customers via remote channels, such as cards, mobile app, or internet (ecom.). More generically, it involves any process where the customer is the person receiving the funds|
|Executing Payment Transactions||Processing “push” or “pull” transactions including direct debits or standing orders|
|Operating a Payment Account||Any service which involves processing multiple payment transactions over a customer’s account, holding funds (for a predetermined amount of time) and making payments to third parties|
|Issuing of Payment Instrument||Defined as any service, which enables to customer to remotely order a payment to be processed. This can be via such channels as an online portal (where customers can log in and make a payment) or mobile app. Generally, any service which is provided non-face-to-face will likely need this permission|
|Payment Initiation Services||Applicable to business models which use a customer’s security credentials to log into their bank accounts and order a payment on their behalf|
|Account Information Services||Applicable to business models which use a customer’s security credentials to access their bank accounts and collate transaction/balance information|
What is EMoney?
EMoney relates to stored monetary value in electronic format. Any firm which holds on to a customer’s funds indefinitely, without having a clear onward instruction is likely issuing EMoney and will require an electronic money licence. Holders of EMoney licences do not need to apply for separate payment service licence as it automatically grants a firm all payment service permissions.
What is the law that firms are regulated under, and who is the regulatory body?
In the UK Payment Service firms are regulated under the Payment Services Regulations 2017 and EMoney firms are regulated under the Electronic Money Regulations 2011. The Financial Conduct Authority is the regulatory issuing the relevant licences and ensuring firms meet the regulatory requirements.
What's the difference between a small emoney licence and an authorised emoney licence?
For both Payment Services and EMoney, licences can be classified as either ‘Small’ or ‘Authorised’. Small Payment Service licences limit firms to processing €3 million worth of payment transactions per month and firms with a Small EMoney licence cannot issue more than €5 million in EMoney at any one time. Both types of Small licence cannot passport their services across Europe, Firms who are Authorised have no such limitation and can process as much as they like.
What are firms required to do?
The regulatory requirements are complex and for new firms can be quite overwhelming. Firms are required to have controls in place focusing on safeguarding of their customers’ funds, complaints handling, providing specific information to customers, the safe and efficient processing of payments, IT Security, Data Protection, Business Continuity, Disaster Recovery and Issue Resolution. In addition to this, firms will need to meet the regulatory capital requirements, adhere to the UK’s Financial Crime Prevention legislation and meet the FCA’s mind and management requirements.
What are regulatory capital requirements?
In general, firms are required to have capital set aside to cover for unforeseen events. Firms can only use qualifying instruments as capital (such as shares and retained earnings) and must always hold a minimum balance, which is detailed below. The minimum requirement will depend on whether the firm is small or authorised:
|Licence Type||Minimum Capital Requirement|
|Small Payment Service||No minimum capital required|
|Authorised Payment Service with Account Information Service Permission only||No minimum capital required|
|Small EMoney Service||No minimum capital required for first €500,000: 2% of balance thereafter|
|Authorised Payment Service with Money Remittance Permission only||€20,000|
|Authorised Payment Service with Payment Initiation Service Permission only||€50,000|
|Authorised Payment Service with remaining Payment Service Permissions||€125,000|
|Authorised EMoney Service||€350,000|
What are the mind and management requirements?
In order to obtain a licence from the FCA, a firm must ensure that the majority of the senior management is based in the UK and are able to make all of the key decisions in running the firm from the UK office. The management must have sufficient knowledge of the rules and regulations and have some experience of operating in the Payment Services/EMoney environment. A firm must also have a competent head of compliance based in the UK.
What happens if a firm provides its services without the required licence?
Providing Payment Services or issuing EMoney without the required licence is a criminal offence. Firms who operate illegally could face prosecution and unlimited fines.
Is it possible to provide Payment or EMoney Services without a licence?
There are ways in which firms can offer their services without obtaining a licence. In the first instance, they can review their product and establish if it qualifies for one of the legal exemptions. More common is for firms (particularly those who are new to payment services) to become agents or distributors of existing Payment Service/ EMoney firms. In this situation, the existing Payment Service/EMoney firm would take responsibility for ensuring compliance with the regulations and the agent firm can focus on providing its services to its customer base.