Skip to content

Minimum economic crime standards

Introduction

If you wish to work with us, you must demonstrate that your business has adequate systems and controls in place to address the risks of money laundering, terrorist financing, sanctions, tax evasion, fraud, bribery, and corruption. These systems and controls must be documented in your policies and procedures and evidenced in practice. We will assess these as part of our due diligence when we onboard you.

Our economic crime standards provide practical guidance to help ensure your policies, procedures, and practices meet our minimum requirements. While these standards support your understanding, you remain responsible for meeting all regulatory obligations that apply to your business and understanding how these impact your customers.

Your policies and procedures must cover the key areas outlined in our economic crime framework and align with relevant legal obligations, regulatory requirements, and industry guidance.

This document addresses three key areas:

  • Minimum standards. Our requirements for each component of the economic crime framework.
  • Communication. Expected ongoing communication about control effectiveness and failures.
  • Oversight. Our measures for monitoring your controls.

Where we handle customer onboarding and ongoing screening on your behalf, you retain responsibility for understanding business risks and supporting our economic crime control framework including the implementation of a transaction monitoring programme. This does not prevent you from implementing additional controls beyond our requirements.

Policies

We expect you to have in place and maintain policies that accurately reflect your economic crime risk management, demonstrate regulatory compliance, and have appropriate board or governance committee approval/s.

Expected policies:

  • Anti-Bribery and Corruption Policy
  • Fraud Policy
  • Market Abuse Policy (where applicable to your firm)
  • Sanctions Policy
  • Economic Crime Policy (or Anti-Money Laundering & Counter Terrorist Financing Policy)

Expected minimum content:

  • Version control
  • Definitions list for industry/company specific terms
  • Policy statement
  • Owners and responsibilities
  • Core requirements of the subject matter
  • Governance (including policy approval)
  • Escalations
  • Recordkeeping
  • Exceptions to policy (where relevant)
  • Links to supporting/related policies and procedures (where relevant)

While policy titles may vary, all specified content must be covered. If you consolidate multiple areas into a single policy, please highlight this when providing documentation.

Regulatory references

We expect you to make reference within your policies to the relevant legislation and regulation that your firm is required to comply with.

This may include some or all of the following:

  • The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (Reference to the Joint Money Laundering Steering Group (JMLSG) Guidance, is acceptable)
  • The Proceeds of Crime Act 2002 (POCA)
  • The Terrorism Act 2000 (TACT)
  • The Financial Conduct Authority, Financial Crime Guide (FCG)
  • Bribery Act 2010
  • Fraud Act 2006

Risk appetite

Risk appetite statement

To support your firm's management of financial crime risk you must have documented a high-level risk appetite statement. This should outline your company's approach and appetite to economic crime risk. This statement should be supported by quantifiable metrics, known as Key Risk Indicators (KRIs), that have thresholds and limits in place and demonstrate how senior management monitors your ongoing exposure to economic crime risk.

Key risk indicators (KRIs)

KRIs should include metrics that accurately measure your firm's exposure to economic crime risk and relate to your appetite statement.

They may include some or all of the following:

  • Fraud losses
  • Sanctions breaches identified
  • Percentage of customers confirmed as Politically Exposed Persons (PEPs)
  • Percentage of customers rated as high risk

Each KRI must have defined thresholds that serve as both early warning indicators for emerging risks and upper limits that signal when your appetite has been breached.

Breach management

We expect you to have in place reporting processes for any breach of your KRI limits that requires immediate senior management attention. You must notify our Money Laundering Reporting Officer (MLRO) of all limit breaches and related remediation activities within one business day of identification.

Prohibited lists

You must maintain lists of prohibited customer types, industries, and geographies that fall outside your risk appetite. The geography list must align with our Global Jurisdiction Risk Assessment (GJRA) as detailed in Appendix 1.

Money laundering reporting officer (MLRO) / Nominated officers

MLRO appointment and qualifications

Regulated businesses must appoint a Money Laundering Reporting Officer (MLRO) or Nominated Officer with relevant knowledge and experience. We may request their curriculum vitae to verify their experience and qualifications to undertake this role.

MLRO responsibilities

Your MLRO oversees all economic crime prevention systems and controls, including producing annual reports to senior management and addressing control gaps. They must have adequate resources and authority to manage economic crime risk effectively.

Regular communication requirements

The MLRO must communicate with us on all economic crime matters, including:

  • Monthly/Quarterly management information
  • Ongoing updates on system and control effectiveness
  • Annual MLRO reports
  • Business-wide risk assessment findings
  • Availability for ad-hoc calibration meetings

Risk profile updates

The MLRO must promptly communicate any developments that could impact your risk profile, such as new product releases, changes to economic crime systems or risk appetite, and FCA submissions or notifications.

Non-regulated businesses

If your business is not regulated, you must designate an individual within your business who can receive and respond to our information requests in a timely manner. They will also need to ensure they update Griffin's MLRO on any changes to your risk profile, financial crime incidents and/or events and be available to attend calibration meetings.

Communication

We expect full transparency in all communications to maintain a strong relationship and enable us to provide support when needed.

Mandatory reporting requirements

You must communicate any known issues with:

  • Onboarding controls
  • Customer risk assessments
  • Transaction Monitoring systems and/or rules
  • PEP and sanctions screenings

This list is not exhaustive. You must inform us of any event that could increase risk to our customers or business, resulting in control failures, or breaching regulatory requirements.

Formal communication requirements

The following must be communicated at least quarterly, with specific requirements, frequency, and ownership agreed at the start of our business relationship and reviewed periodically:

  • Suspicious Activity Reports (SARs) - to be communicated within one business day
  • Management information as agreed
  • Any incidents that may lead to customer harm
  • Consumer duty metrics

Customer due diligence (CDD)

Where you are responsible for onboarding the underlying customers you must conduct appropriate and compliant Customer Due Diligence (CDD) practices using a risk-based approach. CDD levels should reflect the customer risk assessment outcome, the product being applied for, and the nature of the business relationship, whether one-off transactions or ongoing relationships.

Identification and verification (ID&V)

You must complete identification and verification (ID&V) on potential customers before providing any products or services. For corporate entities, ID&V must include all directors and persons with significant control.

Reliance model

When we rely on your CDD processes for your customers, this operates under a "reliance model" arrangement. You must maintain processes for ongoing monitoring, including periodic reviews and trigger event-based CDD updates for all customers.

Politically exposed persons (PEPs)

You must screen individual customers to identify whether they are Politically Exposed Persons (PEPs) or relatives or close associates (RCAs) of PEPs. Screening must occur at onboarding and continue throughout the customer relationship. Your procedures must specify how PEP matches are discounted or confirmed. Confirmed matches should influence the overall customer risk rating and ongoing monitoring levels.

Sanctions

You must have undertaken an assessment of the sanctions risk your business activity presents, considering your customer base, product offerings, and operational jurisdictions. This assessment determines the required level of sanctions screening for all potential and existing customers. Screening must have taken place at onboarding and prior to the opening of an account. Ongoing screening must be conducted on all customers and of a frequency detailed within your risk assessment.

Ongoing screening

All customers must be screened daily against sanctions lists (as defined in our sanctions standards) and relevant PEP and RCA lists, regardless of whether they are considered "active" customers. This is additional to the initial screening conducted during application.

You must conduct an assessment to determine the overall PEP and sanctions risk considering your customer base, product offerings, and jurisdictions.

Customer risk assessment (CRA)

You must demonstrate how you conduct customer risk assessments using data available at onboarding and throughout the business relationship. This includes maintaining a list of events that trigger risk rating reviews. Your CRA should consider your current and expected customer base, the nature of your products, and your delivery channels.

Enhanced due diligence (EDD)

Following CRA outcomes, you must conduct EDD on applicants and customers presenting higher money laundering risks. You must maintain documented procedures for your risk-based EDD approach, including required steps and documentary evidence needed for satisfactory completion.

Transaction monitoring

We expect you to have in place either manual or automated transaction monitoring solutions, provided you can justify your chosen approach via your own risk assessment. Your documentation must detail the rules, scenarios, and thresholds used in transaction monitoring, which should be effective and proportionate to your business risk profile.

You must maintain the ability to restrict customer activity when suspicious activity is identified or when a customer's risk rating requires limitations. These restrictions may include:

  • Blocking all inbound and outbound transactions
  • Limiting account balances
  • Capping maximum transaction amounts

A clear understanding of your transactional risks must be documented which will link to the transaction monitoring rules you have in place and your approach to monitoring customer activity.

Suspicious activity reporting

Regulated firms

Your MLRO or Nominated Officer must review all internal reports of potential suspicious activity and determine whether there is (or there are reasonable grounds for) knowledge, or suspicion that someone has engaged, is engaging, or intends to engage in money laundering or terrorist financing. Where such determination is made, the MLRO must submit an external SAR to the UK National Crime Agency (NCA) as soon as possible.

Non-regulated firms

You must have in place clear documentation detailing how your business handles suspicious transactions and establish clear criteria including service level agreements (SLAs) for referring any concerns or suspicions to Griffin's MLRO to consider for onward reporting to the NCA.

Payment screening

Cross-border transaction screening

If your business processes cross-border transactions, you must screen the payer for all inbound transactions and the payee of outbound payments for potential sanctions matches before posting or completion. This will include the review of potential matches and reporting confirmed matches to relevant sanctioning bodies.

Prohibited jurisdiction controls

When transactions originate from countries on your prohibited lists (as detailed in the risk appetite section), you must maintain controls to block and investigate both the customer's activity and its purpose.

Blocking customer accounts

Blocking procedures

Where economic crime is confirmed or suspected, you must maintain procedures and technical capabilities to immediately block customer account access and payment functionality.

Instant implementation

Blocks must be effective instantly (within seconds) to prevent withdrawal of funds potentially linked to proceeds of crime. You must also be able to remove blocks instantly when the possibility of economic crime has been discounted.

Funding funds

Where funds held in an account are deemed suspicious via your open internal investigations or have been confirmed as the proceeds of crime via external law enforcement communication, you must have the ability to freeze these funds and ensure they are not available to the underlying customer.

Offboarding customers

Economic crime offboarding requirements

You must have the functionality and processes to offboard customers for economic crime reasons. We expect you to have in place and maintain the following capabilities:

  • The ability to identify red flags that trigger offboarding reviews and consideration
  • Procedures for communicating with customers being offboarded (including tipping off considerations)
  • Defined governance for offboarding decisions (where applicable)
  • Processes for recording offboarding decisions, including reason for consideration, key dates, approval authority, and actual offboarding date
  • What criteria should be in place for determining when offboarded customers require adding to a blocklist and/or watchlist, to prevent them from re-opening accounts with you.

Governance

Your business must have in place relevant approval processes and effective governance arrangements for:

  • Approving high-risk relationships
  • Offboarding PEPs
  • Reviewing management information, including KRIs
  • Reviewing and approving policies
  • Reviewing and approving business-wide risk assessments
  • Reviewing annual MLRO reports (where this is applicable)

Training

Staff training requirements

All relevant staff working for you or on your behalf must complete anti-money laundering and fraud prevention training that is appropriate for the role they hold. Staff managing economic crime risk must possess appropriate training and competency levels for their roles.

Training frequency

Compliance and economic crime based training must be delivered on at least an annual basis. If delivered less frequently, you must provide documented rationale demonstrating why this remains sufficient. Training can be delivered online or in a classroom setting.

Minimum training content

Training must cover:

  • Money laundering‍—‌Understanding and identifying risks
  • Fraud‍—‌Understanding and identifying risks
  • Bribery and corruption‍—‌Responsibilities and reporting requirements
  • Tax evasion‍—‌Understanding and identifying risks
  • Suspicious Activity Reporting‍—‌Why, how, and when to report concerns
  • Monitoring

Oversight

As part of the relationship with Griffin we will oversee the implementation and delivery of these standards through risk-based monitoring of your business.

Risk assessment and review frequency

We will assign an initial risk rating to your firm as part of the onboarding process that will determine how often we are required to complete a review of your firm's economic crime framework and implementation of controls. This rating is regularly reassessed and adjusted based on new information, with review frequency updated accordingly.

Audit and review rights

We may conduct periodic audits of your business or your customers' businesses, with timing based on ongoing risk assessments. We also reserve the right to perform targeted reviews of specific business areas.

Review methods

Our monitoring activities may include on-site visits, documentation requests, customer file spot checks, and requests for customer data including Know Your Customer (KYC) and Customer Due Diligence (CDD) information.

Information requests and compliance

All information requests will include specific delivery timeframes. It is important to note that non-compliance with these requests and deadlines may result in suspension or restriction of your access to our products

Management information reporting

Reporting requirements

To support our oversight of your firm and your economic crime prevention activity we will request specific data via a management information request.

You must provide these reports to us on a pre-agreed cadence but this must be at least on a quarterly basis.

Reports will include some or all of the following metrics (we will provide a template of all applicable metrics required at onboarding):

Customer onboarding

  • Total number of new customers onboarded
  • Total number of live customers
  • Total number of declined applications
  • Number of applications declined for economic crime reasons

Application alerts

  • Total number of fraud alerts on applications
    • Number of fraud alerts discounted
  • Total number of PEP alerts on applications
    • Number of PEP alerts discounted
    • Number of PEP alerts confirmed and approved
    • Number of PEP alerts confirmed and declined
  • Total number of sanctions alerts on applications
    • Number of sanctions alerts discounted
    • Number of sanctions alerts confirmed and declined
  • Total number of adverse media alerts on applications
    • Number of adverse media alerts discounted
    • Number of adverse media alerts confirmed and declined

Suspicious activity and fraud

  • Total number of internal suspicious activity reports raised with Griffin's MLRO
    • Number of resulting SARs
  • Confirmed third party fraud
    • Total third party fraud losses

Indemnities

  • Total indemnities received
    • Total value of indemnities received

Appendix 1 - Country risk ratings

CountryCountry Code (ISO3)Country Code (2 letter)Risk Rating
AfghanistanAFGAFProhibited Risk
AlbaniaALBALHigh Risk
AlgeriaDZADZVery High Risk
American SamoaASMASProhibited Risk
AndorraANDADMedium Risk
AngolaAGOAOProhibited Risk
AnguillaAIAAIProhibited Risk
Antigua and BarbudaATGAGHigh Risk
ArgentinaARGARHigh Risk
ArmeniaARMAMMedium Risk
ArubaABWAWVery High Risk
AustraliaAUSAUMedium Risk
AustriaAUTATMedium Risk
AzerbaijanAZEAZVery High Risk
BahamasBHSBSHigh Risk
BahrainBHRBHVery High Risk
Bailiwick of GuernseyGGYGGMedium Risk
Bailiwick of JerseyJEYJEMedium Risk
BangladeshBGDBDVery High Risk
BarbadosBRBBBHigh Risk
BelarusBLRBYProhibited Risk
BelgiumBELBEMedium Risk
BelizeBLZBZVery High Risk
BeninBENBJVery High Risk
BermudaBMUBMHigh Risk
BhutanBTNBTHigh Risk
BoliviaBOLBOProhibited Risk
Bosnia and HerzegovinaBIHBAVery High Risk
BotswanaBWABWHigh Risk
BrazilBRABRHigh Risk
British Indian Ocean TerritoryIOTIOLow Risk
British Virgin IslandsVGBVGProhibited Risk
Brunei DarussalamBRNBNHigh Risk
BulgariaBGRBGVery High Risk
Burkina FasoBFABFProhibited Risk
BurundiBDIBIProhibited Risk
CambodiaKHMKHVery High Risk
CameroonCMRCMVery High Risk
CanadaCANCAMedium Risk
Cape VerdeCPVCVHigh Risk
Cayman IslandsCYMKYVery High Risk
Central African RepublicCAFCFProhibited Risk
ChadTCDTDVery High Risk
ChileCHLCLHigh Risk
ChinaCHNCNVery High Risk
Chinese Taipei (Taiwan)TWNTWHigh Risk
ColombiaCOLCOVery High Risk
ComorosCOMKMVery High Risk
CongoCOGCGVery High Risk
Cook IslandsCOKCKHigh Risk
Costa RicaCRICRHigh Risk
CroatiaHRVHRHigh Risk
CubaCUBCUHigh Risk
CuraçaoCUWCWHigh Risk
CyprusCYPCYHigh Risk
Czech RepublicCZECZMedium Risk
Côte d'IvoireCIVCIProhibited Risk
Democratic Republic of CongoCODCDProhibited Risk
DenmarkDNKDKMedium Risk
DjiboutiDJIDJVery High Risk
DominicaDMADMHigh Risk
Dominican RepublicDOMDOHigh Risk
EcuadorECUECHigh Risk
EgyptEGYEGHigh Risk
El SalvadorSLVSVVery High Risk
Equatorial GuineaGNQGQProhibited Risk
EritreaERIERVery High Risk
EstoniaESTEEMedium Risk
eSwatiniSWZSZVery High Risk
EthiopiaETHETProhibited Risk
Falkland IslandsFLKFKLow Risk
FijiFJIFJHigh Risk
FinlandFINFIMedium Risk
FranceFRAFRLow Risk
GabonGABGAVery High Risk
GambiaGMBGMVery High Risk
GeorgiaGEOGEHigh Risk
GermanyDEUDEMedium Risk
GhanaGHAGHVery High Risk
GibraltarGIBGIHigh Risk
GreeceGRCGRMedium Risk
GrenadaGRDGDVery High Risk
GuamGUMGUProhibited Risk
GuatemalaGTMGTHigh Risk
GuineaGINGNVery High Risk
Guinea-BissauGNBGWVery High Risk
GuyanaGUYGYHigh Risk
HaitiHTIHTProhibited Risk
HondurasHNDHNHigh Risk
Hong KongHKGHKHigh Risk
HungaryHUNHUHigh Risk
IcelandISLISHigh Risk
IndiaINDINHigh Risk
IndonesiaIDNIDHigh Risk
IranIRNIRProhibited Risk
IraqIRQIQProhibited Risk
IrelandIRLIEMedium Risk
Isle of ManIMNIMHigh Risk
IsraelISRILHigh Risk
ItalyITAITMedium Risk
JamaicaJAMJMVery High Risk
JapanJPNJPMedium Risk
JordanJORJOHigh Risk
KazakhstanKAZKZHigh Risk
KenyaKENKEVery High Risk
KosovoXKXXKHigh Risk
KuwaitKWTKWProhibited Risk
KyrgyzstanKGZKGProhibited Risk
LaosLAOLAProhibited Risk
LatviaLVALVHigh Risk
LebanonLBNLBProhibited Risk
LesothoLSOLSVery High Risk
LiberiaLBRLRVery High Risk
LibyaLBYLYProhibited Risk
LithuaniaLTULTHigh Risk
LuxembourgLUXLUMedium Risk
Macao (China)MACMOProhibited Risk
MadagascarMDGMGVery High Risk
MalawiMWIMWVery High Risk
MalaysiaMYSMYHigh Risk
MaldivesMDVMVVery High Risk
MaliMLIMLProhibited Risk
MaltaMLTMTHigh Risk
Marshall IslandsMHLMHVery High Risk
MauritaniaMRTMRVery High Risk
MauritiusMUSMUVery High Risk
MexicoMEXMXHigh Risk
MoldovaMDAMDHigh Risk
MonacoMCOMCVery High Risk
MongoliaMNGMNVery High Risk
MontenegroMNEMEHigh Risk
MontserratMSRMSHigh Risk
MoroccoMARMAVery High Risk
MozambiqueMOZMZVery High Risk
MyanmarMMRMMProhibited Risk
NamibiaNAMNAVery High Risk
NepalNPLNPProhibited Risk
NetherlandsNLDNLMedium Risk
New ZealandNZLNZLow Risk
NicaraguaNICNIProhibited Risk
NigerNERNEProhibited Risk
NigeriaNGANGVery High Risk
NiueNIUNUHigh Risk
North KoreaPRKKPProhibited Risk
North MacedoniaMKDMKHigh Risk
NorwayNORNOMedium Risk
OmanOMNOMHigh Risk
PakistanPAKPKProhibited Risk
PalauPLWPWProhibited Risk
PanamaPANPAProhibited Risk
Papua New GuineaPNGPGProhibited Risk
ParaguayPRYPYVery High Risk
PeruPERPEHigh Risk
PhilippinesPHLPHProhibited Risk
PolandPOLPLHigh Risk
PortugalPRTPTMedium Risk
Puerto RicoPRIPRHigh Risk
QatarQATQAHigh Risk
RomaniaROUROHigh Risk
Russian FederationRUSRUProhibited Risk
RwandaRWARWVery High Risk
Saint Kitts and NevisKNAKNVery High Risk
Saint LuciaLCALCVery High Risk
Saint Vincent and the GrenadinesVCTVCHigh Risk
SamoaWSMWSProhibited Risk
San MarinoSMRSMHigh Risk
Sao Tome and PrincipeSTPSTVery High Risk
Saudi ArabiaSAUSAHigh Risk
SenegalSENSNVery High Risk
SerbiaSRBRSProhibited Risk
SeychellesSYCSCHigh Risk
Sierra LeoneSLESLProhibited Risk
SingaporeSGPSGMedium Risk
SlovakiaSVKSKHigh Risk
SloveniaSVNSIHigh Risk
Solomon IslandsSLBSBProhibited Risk
SomaliaSOMSOProhibited Risk
South AfricaZAFZAVery High Risk
South Georgia and Sandwich IslandsSGSGSLow Risk
South KoreaKORKRHigh Risk
South SudanSSDSSProhibited Risk
SpainESPESMedium Risk
Sri LankaLKALKProhibited Risk
St HelenaSHNSHLow Risk
SudanSDNSDProhibited Risk
SurinameSURSRVery High Risk
SwedenSWESEMedium Risk
SwitzerlandCHECHMedium Risk
SyriaSYRSYProhibited Risk
TajikistanTJKTJProhibited Risk
TanzaniaTZATZProhibited Risk
ThailandTHATHHigh Risk
Timor-LesteTLSTLProhibited Risk
TogoTGOTGVery High Risk
TongaTONTOVery High Risk
Trinidad and TobagoTTOTTProhibited Risk
TunisiaTUNTNVery High Risk
TurkmenistanTKMTMProhibited Risk
Turks and Caicos IslandsTCATCProhibited Risk
TürkiyeTURTRVery High Risk
U.S Virgin IslandsVIRVIProhibited Risk
UgandaUGAUGVery High Risk
UkraineUKRUAHigh Risk
United Arab EmiratesAREAEHigh Risk
United KingdomGBRGBLow Risk
United StatesUSAUSLow Risk
UruguayURYUYHigh Risk
UzbekistanUZBUZHigh Risk
VanuatuVUTVUProhibited Risk
Vatican CityVATVAProhibited Risk
VenezuelaVENVEProhibited Risk
VietnamVNMVNProhibited Risk
YemenYEMYEProhibited Risk
ZambiaZMBZMVery High Risk
ZimbabweZWEZWProhibited Risk