Skip to content

Your policies and procedures

This page outlines what we expect to see from your economic crime policies and procedures. If you’re thinking of working with us, take a look below and make sure you have these controls in place.

This page doesn’t constitute advice from Griffin. Instead, we’re setting expectations about what we need to see. If you’d like advice, you should reach out to advisers and experts.

Required policies

We need you to have these five core policies:

  • Anti-Bribery and Corruption Policy
  • Fraud Policy
  • Market Abuse Policy (where applicable to the business model)
  • Sanctions Policy
  • Anti-Money Laundering and Counter Terrorist Financing Policy

What we look for in policies

We expect your policies to:

  1. Accurately reflect how the company manages economic crime risk
  2. Show how the company complies with relevant regulations and legislation
  3. Have been approved by the company's board or another relevant governance committee

Required policy components

Each policy must have:

  • Version control
  • Definitions list for industry/company-specific terms
  • Policy statement
  • Owners and responsibilities
  • Core requirements of the subject matter
  • Governance (including policy approval)
  • Escalations
  • Recordkeeping
  • Exceptions to policy (where relevant)
  • Links to supporting/related policies and procedures where relevant

Each policy must reference the relevant legislation and/or regulation they align with:

  • The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (reference to JMLSG Guidance is acceptable)
  • The Proceeds of Crime Act 2002 (POCA)
  • The Terrorism Act 2000 (TACT)
  • The Financial Conduct Authority Financial Crime Guide (FCG)
  • Bribery Act 2010
  • Fraud Act 2006

Risk appetite requirements

We expect to see a risk appetite statement that explains the your approach to economic crime risk at a high level.

Key risk indicators (KRIs)

This statement should be supported by metrics that quantify appetite for financial crime risk and detail how senior management monitors it. KRIs could include:

  • Value of fraud losses
  • Number of sanctions breaches identified
  • Percentage of total customer base rated as high risk

Thresholds and limits

KRIs must have set thresholds and limits that:

  • Act as early warning indicators (EWIs) for when a key risk may be about to materialise
  • Set upper limits indicating a breach of appetite

Where a limit is breached, the risk requires immediate attention from senior management. We expect limit breaches and any related remediation activities to be communicated to our Money Laundering Reporting Officer (MLRO) within one business day.

Prohibited lists

Companies should maintain lists of customer types, industries, and geographies that are outside of risk appetite. These lists must at minimum align to our Global Jurisdiction Risk Assessment (GJRA) and Prohibited Industries list.

Politically exposed persons (PEPs)

Where customers are individuals, you must screen them to identify whether they are:

  • Politically exposed persons (PEPs)
  • Relatives or close associates (RCAs) of PEPs

Customers should be screened for PEP status at onboarding and on an ongoing basis throughout the relationship.

Your procedures must specify how PEP matches are discounted or confirmed. Where a match is confirmed, this should factor into the overall customer risk rating and level of ongoing monitoring.

Sanctions

You must assess the overall sanctions risk presented by their business, taking into consideration:

  • Customer base
  • Product offering
  • Jurisdictions they operate within or interact with

This assessment should determine the level of sanctions screening that needs to be in place for all potential and current customers. Customers should be screened for sanctions at onboarding and on an ongoing basis throughout the relationship.

Customer risk assessment (CRA)

You must be able to demonstrate how you conduct risk assessments of your customers, both at onboarding and throughout the business relationship. This should include a list of events that would trigger a review of the customer's risk rating.

The CRA should also show consideration of:

  • Current or expected customer base
  • Nature of products offered
  • Delivery channels

Transaction monitoring

We expect to see ongoing transaction monitoring. This can be done manually or via an automated solution, as long as there's a clear rationale for the approach.

Documentation should include the rules, scenarios and thresholds used in transaction monitoring. These should be effective and proportionate to the risk profile of the business.

You must also have the ability to limit customer activity when potential suspicious activity is identified and/or the risk rating of a customer dictates that restrictions should be in place. This may include:

  • Blocking all inbound and outbound transactions
  • Limiting balances
  • Limiting maximum transaction amounts

Suspicious activity reporting (SAR)

Unregulated businesses

If you are not regulated, you are still required to report suspicious activity under POCA 2002. Documentation should set out how you deal with suspicious transactions and criteria for referring these to Griffin's MLRO for SAR consideration.

Regulated businesses

You are obliged by the MLRs 2017 and POCA 2002 to report suspicious activity. The MLRO or Nominated Officer must consider all internal reports of potential suspicious activity and decide if there is knowledge or suspicion, or reasonable grounds for knowledge or suspicion, that someone has engaged in or intends to engage in money laundering or terrorist financing. If so, the MLRO must make an external suspicious activity report (SAR) to the UK National Crime Agency (NCA) or equivalent EU body as soon as possible.

Payment screening

If your business sends and receives cross-border transactions, these must be screened for potential sanctions matches prior to posting or completion. This includes:

  • Reviewing any potential matches
  • Reporting confirmed matches to the relevant sanctioning bodies

When a transaction is identified as originating from a country on one of the prohibited lists, controls must be in place to block and investigate the customer's activity and its purpose.

Training requirements

All relevant staff working for or on behalf of the company must complete anti-money laundering and fraud prevention training tailored to their roles. Staff whose work involves managing economic crime risk must have the right training and level of competency to carry out their roles.

Training frequency

We expect this training to be delivered at least annually. If it is delivered less than annually, we require a documented rationale for why this is sufficient. Training can be delivered online or in a classroom setting.

Minimum training coverage

At minimum, we expect training to cover:

  • Money laundering‍—‌understanding and identifying the risks
  • Fraud‍—‌understanding and identifying the risks
  • Bribery and corruption‍—‌responsibilities and reporting requirements
  • Tax evasion‍—‌understanding and identifying the risks
  • Suspicious activity reporting‍—‌why, how and when to report concerns

More information

For more questions about our onboarding process, visit griffin.com/onboarding or get in touch with your customer success manager.