Minimum economic crime standards
Introduction
If you wish to work with us, you must demonstrate that your business has adequate systems and controls in place to address the risks of money laundering, terrorist financing, sanctions, tax evasion, fraud, bribery, and corruption. These systems and controls must be documented in your policies and procedures and evidenced in practice. We will assess these as part of our due diligence when we onboard you.
Our economic crime standards provide practical guidance to help ensure your policies, procedures, and practices meet our minimum requirements. While these standards support your understanding, you remain responsible for meeting all regulatory obligations that apply to your business and understanding how these impact your customers.
Your policies and procedures must cover the key areas outlined in our economic crime framework and align with relevant legal obligations, regulatory requirements, and industry guidance.
This document addresses three key areas:
- Minimum standards. Our requirements for each component of the economic crime framework.
- Communication. Expected ongoing communication about control effectiveness and failures.
- Oversight. Our measures for monitoring your controls.
Where we handle customer onboarding and ongoing screening on your behalf, you retain responsibility for understanding business risks and supporting our economic crime control framework including the implementation of a transaction monitoring programme. This does not prevent you from implementing additional controls beyond our requirements.
Policies
We expect you to have in place and maintain policies that accurately reflect your economic crime risk management, demonstrate regulatory compliance, and have appropriate board or governance committee approval/s.
Expected policies:
- Anti-Bribery and Corruption Policy
- Fraud Policy
- Market Abuse Policy (where applicable to your firm)
- Sanctions Policy
- Economic Crime Policy (or Anti-Money Laundering & Counter Terrorist Financing Policy)
Expected minimum content:
- Version control
- Definitions list for industry/company specific terms
- Policy statement
- Owners and responsibilities
- Core requirements of the subject matter
- Governance (including policy approval)
- Escalations
- Recordkeeping
- Exceptions to policy (where relevant)
- Links to supporting/related policies and procedures (where relevant)
While policy titles may vary, all specified content must be covered. If you consolidate multiple areas into a single policy, please highlight this when providing documentation.
Regulatory references
We expect you to make reference within your policies to the relevant legislation and regulation that your firm is required to comply with.
This may include some or all of the following:
- The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (Reference to the Joint Money Laundering Steering Group (JMLSG) Guidance, is acceptable)
- The Proceeds of Crime Act 2002 (POCA)
- The Terrorism Act 2000 (TACT)
- The Financial Conduct Authority, Financial Crime Guide (FCG)
- Bribery Act 2010
- Fraud Act 2006
Risk appetite
Risk appetite statement
To support your firm's management of financial crime risk you must have documented a high-level risk appetite statement. This should outline your company's approach and appetite to economic crime risk. This statement should be supported by quantifiable metrics, known as Key Risk Indicators (KRIs), that have thresholds and limits in place and demonstrate how senior management monitors your ongoing exposure to economic crime risk.
Key risk indicators (KRIs)
KRIs should include metrics that accurately measure your firm's exposure to economic crime risk and relate to your appetite statement.
They may include some or all of the following:
- Fraud losses
- Sanctions breaches identified
- Percentage of customers confirmed as Politically Exposed Persons (PEPs)
- Percentage of customers rated as high risk
Each KRI must have defined thresholds that serve as both early warning indicators for emerging risks and upper limits that signal when your appetite has been breached.
Breach management
We expect you to have in place reporting processes for any breach of your KRI limits that requires immediate senior management attention. You must notify our Money Laundering Reporting Officer (MLRO) of all limit breaches and related remediation activities within one business day of identification.
Prohibited lists
You must maintain lists of prohibited customer types, industries, and geographies that fall outside your risk appetite. The geography list must align with our Global Jurisdiction Risk Assessment (GJRA) as detailed in Appendix 1.
Money laundering reporting officer (MLRO) / Nominated officers
MLRO appointment and qualifications
Regulated businesses must appoint a Money Laundering Reporting Officer (MLRO) or Nominated Officer with relevant knowledge and experience. We may request their curriculum vitae to verify their experience and qualifications to undertake this role.
MLRO responsibilities
Your MLRO oversees all economic crime prevention systems and controls, including producing annual reports to senior management and addressing control gaps. They must have adequate resources and authority to manage economic crime risk effectively.
Regular communication requirements
The MLRO must communicate with us on all economic crime matters, including:
- Monthly/Quarterly management information
- Ongoing updates on system and control effectiveness
- Annual MLRO reports
- Business-wide risk assessment findings
- Availability for ad-hoc calibration meetings
Risk profile updates
The MLRO must promptly communicate any developments that could impact your risk profile, such as new product releases, changes to economic crime systems or risk appetite, and FCA submissions or notifications.
Non-regulated businesses
If your business is not regulated, you must designate an individual within your business who can receive and respond to our information requests in a timely manner. They will also need to ensure they update Griffin's MLRO on any changes to your risk profile, financial crime incidents and/or events and be available to attend calibration meetings.
Communication
We expect full transparency in all communications to maintain a strong relationship and enable us to provide support when needed.
Mandatory reporting requirements
You must communicate any known issues with:
- Onboarding controls
- Customer risk assessments
- Transaction Monitoring systems and/or rules
- PEP and sanctions screenings
This list is not exhaustive. You must inform us of any event that could increase risk to our customers or business, resulting in control failures, or breaching regulatory requirements.
Formal communication requirements
The following must be communicated at least quarterly, with specific requirements, frequency, and ownership agreed at the start of our business relationship and reviewed periodically:
- Suspicious Activity Reports (SARs) - to be communicated within one business day
- Management information as agreed
- Any incidents that may lead to customer harm
- Consumer duty metrics
Customer due diligence (CDD)
Where you are responsible for onboarding the underlying customers you must conduct appropriate and compliant Customer Due Diligence (CDD) practices using a risk-based approach. CDD levels should reflect the customer risk assessment outcome, the product being applied for, and the nature of the business relationship, whether one-off transactions or ongoing relationships.
Identification and verification (ID&V)
You must complete identification and verification (ID&V) on potential customers before providing any products or services. For corporate entities, ID&V must include all directors and persons with significant control.
Reliance model
When we rely on your CDD processes for your customers, this operates under a "reliance model" arrangement. You must maintain processes for ongoing monitoring, including periodic reviews and trigger event-based CDD updates for all customers.
Politically exposed persons (PEPs)
You must screen individual customers to identify whether they are Politically Exposed Persons (PEPs) or relatives or close associates (RCAs) of PEPs. Screening must occur at onboarding and continue throughout the customer relationship. Your procedures must specify how PEP matches are discounted or confirmed. Confirmed matches should influence the overall customer risk rating and ongoing monitoring levels.
Sanctions
You must have undertaken an assessment of the sanctions risk your business activity presents, considering your customer base, product offerings, and operational jurisdictions. This assessment determines the required level of sanctions screening for all potential and existing customers. Screening must have taken place at onboarding and prior to the opening of an account. Ongoing screening must be conducted on all customers and of a frequency detailed within your risk assessment.
Ongoing screening
All customers must be screened daily against sanctions lists (as defined in our sanctions standards) and relevant PEP and RCA lists, regardless of whether they are considered "active" customers. This is additional to the initial screening conducted during application.
You must conduct an assessment to determine the overall PEP and sanctions risk considering your customer base, product offerings, and jurisdictions.
Customer risk assessment (CRA)
You must demonstrate how you conduct customer risk assessments using data available at onboarding and throughout the business relationship. This includes maintaining a list of events that trigger risk rating reviews. Your CRA should consider your current and expected customer base, the nature of your products, and your delivery channels.
Enhanced due diligence (EDD)
Following CRA outcomes, you must conduct EDD on applicants and customers presenting higher money laundering risks. You must maintain documented procedures for your risk-based EDD approach, including required steps and documentary evidence needed for satisfactory completion.
Transaction monitoring
We expect you to have in place either manual or automated transaction monitoring solutions, provided you can justify your chosen approach via your own risk assessment. Your documentation must detail the rules, scenarios, and thresholds used in transaction monitoring, which should be effective and proportionate to your business risk profile.
You must maintain the ability to restrict customer activity when suspicious activity is identified or when a customer's risk rating requires limitations. These restrictions may include:
- Blocking all inbound and outbound transactions
- Limiting account balances
- Capping maximum transaction amounts
A clear understanding of your transactional risks must be documented which will link to the transaction monitoring rules you have in place and your approach to monitoring customer activity.
Suspicious activity reporting
Regulated firms
Your MLRO or Nominated Officer must review all internal reports of potential suspicious activity and determine whether there is (or there are reasonable grounds for) knowledge, or suspicion that someone has engaged, is engaging, or intends to engage in money laundering or terrorist financing. Where such determination is made, the MLRO must submit an external SAR to the UK National Crime Agency (NCA) as soon as possible.
Non-regulated firms
You must have in place clear documentation detailing how your business handles suspicious transactions and establish clear criteria including service level agreements (SLAs) for referring any concerns or suspicions to Griffin's MLRO to consider for onward reporting to the NCA.
Payment screening
Cross-border transaction screening
If your business processes cross-border transactions, you must screen the payer for all inbound transactions and the payee of outbound payments for potential sanctions matches before posting or completion. This will include the review of potential matches and reporting confirmed matches to relevant sanctioning bodies.
Prohibited jurisdiction controls
When transactions originate from countries on your prohibited lists (as detailed in the risk appetite section), you must maintain controls to block and investigate both the customer's activity and its purpose.
Blocking customer accounts
Blocking procedures
Where economic crime is confirmed or suspected, you must maintain procedures and technical capabilities to immediately block customer account access and payment functionality.
Instant implementation
Blocks must be effective instantly (within seconds) to prevent withdrawal of funds potentially linked to proceeds of crime. You must also be able to remove blocks instantly when the possibility of economic crime has been discounted.
Funding funds
Where funds held in an account are deemed suspicious via your open internal investigations or have been confirmed as the proceeds of crime via external law enforcement communication, you must have the ability to freeze these funds and ensure they are not available to the underlying customer.
Offboarding customers
Economic crime offboarding requirements
You must have the functionality and processes to offboard customers for economic crime reasons. We expect you to have in place and maintain the following capabilities:
- The ability to identify red flags that trigger offboarding reviews and consideration
- Procedures for communicating with customers being offboarded (including tipping off considerations)
- Defined governance for offboarding decisions (where applicable)
- Processes for recording offboarding decisions, including reason for consideration, key dates, approval authority, and actual offboarding date
- What criteria should be in place for determining when offboarded customers require adding to a blocklist and/or watchlist, to prevent them from re-opening accounts with you.
Governance
Your business must have in place relevant approval processes and effective governance arrangements for:
- Approving high-risk relationships
- Offboarding PEPs
- Reviewing management information, including KRIs
- Reviewing and approving policies
- Reviewing and approving business-wide risk assessments
- Reviewing annual MLRO reports (where this is applicable)
Training
Staff training requirements
All relevant staff working for you or on your behalf must complete anti-money laundering and fraud prevention training that is appropriate for the role they hold. Staff managing economic crime risk must possess appropriate training and competency levels for their roles.
Training frequency
Compliance and economic crime based training must be delivered on at least an annual basis. If delivered less frequently, you must provide documented rationale demonstrating why this remains sufficient. Training can be delivered online or in a classroom setting.
Minimum training content
Training must cover:
- Money laundering—Understanding and identifying risks
- Fraud—Understanding and identifying risks
- Bribery and corruption—Responsibilities and reporting requirements
- Tax evasion—Understanding and identifying risks
- Suspicious Activity Reporting—Why, how, and when to report concerns
- Monitoring
Oversight
As part of the relationship with Griffin we will oversee the implementation and delivery of these standards through risk-based monitoring of your business.
Risk assessment and review frequency
We will assign an initial risk rating to your firm as part of the onboarding process that will determine how often we are required to complete a review of your firm's economic crime framework and implementation of controls. This rating is regularly reassessed and adjusted based on new information, with review frequency updated accordingly.
Audit and review rights
We may conduct periodic audits of your business or your customers' businesses, with timing based on ongoing risk assessments. We also reserve the right to perform targeted reviews of specific business areas.
Review methods
Our monitoring activities may include on-site visits, documentation requests, customer file spot checks, and requests for customer data including Know Your Customer (KYC) and Customer Due Diligence (CDD) information.
Information requests and compliance
All information requests will include specific delivery timeframes. It is important to note that non-compliance with these requests and deadlines may result in suspension or restriction of your access to our products
Management information reporting
Reporting requirements
To support our oversight of your firm and your economic crime prevention activity we will request specific data via a management information request.
You must provide these reports to us on a pre-agreed cadence but this must be at least on a quarterly basis.
Reports will include some or all of the following metrics (we will provide a template of all applicable metrics required at onboarding):
Customer onboarding
- Total number of new customers onboarded
- Total number of live customers
- Total number of declined applications
- Number of applications declined for economic crime reasons
Application alerts
- Total number of fraud alerts on applications
- Number of fraud alerts discounted
- Total number of PEP alerts on applications
- Number of PEP alerts discounted
- Number of PEP alerts confirmed and approved
- Number of PEP alerts confirmed and declined
- Total number of sanctions alerts on applications
- Number of sanctions alerts discounted
- Number of sanctions alerts confirmed and declined
- Total number of adverse media alerts on applications
- Number of adverse media alerts discounted
- Number of adverse media alerts confirmed and declined
Suspicious activity and fraud
- Total number of internal suspicious activity reports raised with Griffin's MLRO
- Number of resulting SARs
- Confirmed third party fraud
- Total third party fraud losses
Indemnities
- Total indemnities received
- Total value of indemnities received
Appendix 1 - Country risk ratings
| Country | Country Code (ISO3) | Country Code (2 letter) | Risk Rating |
|---|---|---|---|
| Afghanistan | AFG | AF | Very High Risk |
| Albania | ALB | AL | Medium Risk |
| Algeria | DZA | DZ | Very High Risk |
| Andorra | AND | AD | Medium Risk |
| Angola | AGO | AO | Very High Risk |
| Anguilla | AIA | AI | Low Risk |
| Antigua and Barbuda | ATG | AG | High Risk |
| Argentina | ARG | AR | High Risk |
| Armenia | ARM | AM | Low Risk |
| Australia | AUS | AU | Low Risk |
| Austria | AUT | AT | Low Risk |
| Azerbaijan | AZE | AZ | Very High Risk |
| Bahamas | BHS | BS | Medium Risk |
| Bahrain | BHR | BH | Medium Risk |
| Bailiwick of Guernsey | GGY | GG | Medium Risk |
| Bailiwick of Jersey | JEY | JE | Medium Risk |
| Bangladesh | BGD | BD | High Risk |
| Barbados | BRB | BB | Medium Risk |
| Belarus | BLR | BY | Prohibited Risk |
| Belgium | BEL | BE | Low Risk |
| Benin | BEN | BJ | Very High Risk |
| Bermuda | BMU | BM | High Risk |
| Bhutan | BTN | BT | Medium Risk |
| Bolivia | BOL | BO | High Risk |
| Bosnia and Herzegovina | BIH | BA | High Risk |
| Botswana | BWA | BW | Medium Risk |
| Brazil | BRA | BR | High Risk |
| British Antarctic Territory | ATA | AQ | Low Risk |
| British Indian Ocean Territory | IOT | IO | Low Risk |
| British Virgin Islands | VGB | VG | Low Risk |
| Brunei Darussalam | BRN | BN | High Risk |
| Bulgaria | BGR | BG | High Risk |
| Burkina Faso | BFA | BF | High Risk |
| Burundi | BDI | BI | High Risk |
| Cambodia | KHM | KH | Very High Risk |
| Cameroon | CMR | CM | Very High Risk |
| Canada | CAN | CA | Low Risk |
| Cape Verde | CPV | CV | High Risk |
| Cayman Islands | CYM | KY | Very High Risk |
| Central African Republic | CAF | CF | Prohibited Risk |
| Chad | TCD | TD | Very High Risk |
| Chile | CHL | CL | High Risk |
| China | CHN | CN | High Risk |
| Colombia | COL | CO | Medium Risk |
| Comoros | COM | KM | Very High Risk |
| Congo | COG | CG | Very High Risk |
| Cook Islands | COK | CK | High Risk |
| Costa Rica | CRI | CR | Medium Risk |
| Côte d'Ivoire | CIV | CI | High Risk |
| Croatia | HRV | HR | High Risk |
| Cuba | CUB | CU | High Risk |
| Cyprus | CYP | CY | High Risk |
| Czech Republic | CZE | CZ | Medium Risk |
| Denmark | DNK | DK | Low Risk |
| Djibouti | DJI | DJ | Very High Risk |
| Dominica | DMA | DM | Very High Risk |
| Dominican Republic | DOM | DO | High Risk |
| Ducie and Oeno Islands | Low Risk | ||
| Ecuador | ECU | EC | High Risk |
| Egypt | EGY | EG | High Risk |
| El Salvador | SLV | SV | Very High Risk |
| Equatorial Guinea | GNQ | GQ | Very High Risk |
| Eritrea | ERI | ER | High Risk |
| Estonia | EST | EE | Medium Risk |
| Ethiopia | ETH | ET | High Risk |
| Falkland Islands | FLK | FK | Low Risk |
| Fiji | FJI | FJ | Medium Risk |
| Finland | FIN | FI | Low Risk |
| France | FRA | FR | Low Risk |
| Gabon | GAB | GA | Very High Risk |
| Gambia | GMB | GM | High Risk |
| Georgia | GEO | GE | Medium Risk |
| Germany | DEU | DE | Low Risk |
| Ghana | GHA | GH | High Risk |
| Gibraltar | GIB | GI | High Risk |
| Greece | GRC | GR | Low Risk |
| Grenada | GRD | GD | Very High Risk |
| Guatemala | GTM | GT | High Risk |
| Guinea | GIN | GN | Very High Risk |
| Guinea-Bissau | GNB | GW | High Risk |
| Guyana | GUY | GY | Very High Risk |
| Haiti | HTI | HT | Very High Risk |
| Henderson | Low Risk | ||
| Honduras | HND | HN | Medium Risk |
| Hong Kong | HKG | HK | High Risk |
| Hungary | HUN | HU | Medium Risk |
| Iceland | ISL | IS | Low Risk |
| India | IND | IN | High Risk |
| Indonesia | IDN | ID | Medium Risk |
| Iran | IRN | IR | Prohibited Risk |
| Iraq | IRQ | IQ | Prohibited Risk |
| Ireland | IRL | IE | Low Risk |
| Isle of Man | IMN | IM | High Risk |
| Israel | ISR | IL | Low Risk |
| Italy | ITA | IT | Low Risk |
| Jamaica | JAM | JM | High Risk |
| Japan | JPN | JP | Low Risk |
| Jordan | JOR | JO | Medium Risk |
| Kazakhstan | KAZ | KZ | High Risk |
| Kenya | KEN | KE | Very High Risk |
| Kosovo | KSV | XK | High Risk |
| Kuwait | KWT | KW | High Risk |
| Kyrgyzstan | KGZ | KG | High Risk |
| Laos | LAO | LA | High Risk |
| Latvia | LVA | LV | Medium Risk |
| Lebanon | LBN | LB | Very High Risk |
| Lesotho | LSO | LS | Very High Risk |
| Liberia | LBR | LR | Very High Risk |
| Libya | LBY | LY | Prohibited Risk |
| Lithuania | LTU | LT | Low Risk |
| Luxembourg | LUX | LU | Low Risk |
| Macao | MAC | MO | Very High Risk |
| Macedonia | MKD | MK | High Risk |
| Madagascar | MDG | MG | Very High Risk |
| Malawi | MWI | MW | High Risk |
| Malaysia | MYS | MY | Medium Risk |
| Maldives | MDV | MV | High Risk |
| Mali | MLI | ML | Very High Risk |
| Malta | MLT | MT | High Risk |
| Mauritania | MRT | MR | Very High Risk |
| Mauritius | MUS | MU | Medium Risk |
| Mexico | MEX | MX | Medium Risk |
| Moldova | MDA | MD | Medium Risk |
| Mongolia | MNG | MN | High Risk |
| Montenegro | MNE | ME | High Risk |
| Montserrat | MSR | MS | Low Risk |
| Morocco | MAR | MA | High Risk |
| Mozambique | MOZ | MZ | Very High Risk |
| Myanmar | MMR | MM | Prohibited Risk |
| Namibia | NAM | NA | High Risk |
| Nepal | NPL | NP | High Risk |
| Netherlands | NLD | NL | Low Risk |
| New Zealand | NZL | NZ | Low Risk |
| Nicaragua | NIC | NI | Very High Risk |
| Niger | NER | NE | Very High Risk |
| Nigeria | NGA | NG | Very High Risk |
| North Korea | PRK | KP | Prohibited Risk |
| Norway | NOR | NO | Low Risk |
| Oman | OMN | OM | High Risk |
| Pakistan | PAK | PK | High Risk |
| Palau | PLW | PW | Very High Risk |
| Panama | PAN | PA | High Risk |
| Papua New Guinea | PNG | PG | Very High Risk |
| Paraguay | PRY | PY | High Risk |
| Peru | PER | PE | Medium Risk |
| Philippines | PHL | PH | High Risk |
| Pitcairn | PCN | PN | Low Risk |
| Poland | POL | PL | Medium Risk |
| Portugal | PRT | PT | Low Risk |
| Puerto Rico | PRI | PR | High Risk |
| Qatar | QAT | QA | High Risk |
| Romania | ROU | RO | High Risk |
| Russian Federation | RUS | RU | Prohibited Risk |
| Rwanda | RWA | RW | Very High Risk |
| Saint Kitts and Nevis | KNA | KN | Very High Risk |
| Saint Lucia | LCA | LC | Medium Risk |
| Saint Vincent and the Grenadines | VCT | VC | High Risk |
| Samoa | WSM | WS | High Risk |
| San Marino | SMR | SM | Medium Risk |
| Sao Tome and Principe | STP | ST | High Risk |
| Saudi Arabia | SAU | SA | Medium Risk |
| Senegal | SEN | SN | Very High Risk |
| Serbia | SRB | RS | High Risk |
| Seychelles | SYC | SC | Medium Risk |
| Sierra Leone | SLE | SL | Very High Risk |
| Singapore | SGP | SG | Low Risk |
| Slovakia | SVK | SK | Medium Risk |
| Slovenia | SVN | SI | Low Risk |
| Solomon Islands | SLB | SB | High Risk |
| Somalia | SOM | SO | Very High Risk |
| South Africa | ZAF | ZA | Very High Risk |
| South Georgia and Sandwich Islands | SGS | GS | Low Risk |
| South Korea | KOR | KR | Medium Risk |
| South Sudan | SSD | SS | High Risk |
| Spain | ESP | ES | Low Risk |
| Sri Lanka | LKA | LK | High Risk |
| St Helena | SHN | SH | Low Risk |
| Sudan | SDN | SD | High Risk |
| Suriname | SUR | SR | Very High Risk |
| Swaziland | SWZ | SZ | High Risk |
| Sweden | SWE | SE | Low Risk |
| Switzerland | CHE | CH | Low Risk |
| Syria | SYR | SY | Prohibited Risk |
| Taiwan | TWN | TW | High Risk |
| Tajikistan | TJK | TJ | High Risk |
| Tanzania | TZA | TZ | High Risk |
| Thailand | THA | TH | Medium Risk |
| Timor-Leste | TLS | TL | High Risk |
| Togo | TGO | TG | Very High Risk |
| Tonga | TON | TO | Very High Risk |
| Trinidad and Tobago | TTO | TT | Medium Risk |
| Tunisia | TUN | TN | High Risk |
| Turkey | TUR | TR | High Risk |
| Turkmenistan | TKM | TM | Very High Risk |
| Turks and Caicos Islands | TCA | TC | Very High Risk |
| Uganda | UGA | UG | Very High Risk |
| Ukraine | UKR | UA | High Risk |
| United Arab Emirates | ARE | AE | Medium Risk |
| United Kingdom | GBR | GB | Low Risk |
| United States | USA | US | Low Risk |
| Uruguay | URY | UY | Low Risk |
| Uzbekistan | UZB | UZ | High Risk |
| Vanuatu | VUT | VU | High Risk |
| Vatican City | VAT | VA | Medium Risk |
| Venezuela | VEN | VE | Very High Risk |
| Vietnam | VNM | VN | Very High Risk |
| Yemen | YEM | YE | High Risk |
| Zambia | ZMB | ZM | High Risk |
| Zimbabwe | ZWE | ZW | Very High Risk |