How to build board confidence in your financial crime framework

Amidst the geopolitical turmoil and increasing instability of 2024, a raft of new laws and regulations are placing greater demands on the boards of financial institutions to demonstrate the basis upon which their organizations’ statements of financial crime risk and compliance effectiveness are made.  

That means anti-financial crime leaders should expect to hear from their boards a lot more. In this article we’ll look at what the drivers of this change are and how you can help your board meet these new requirements.  

Increasing instability and the need for greater board involvement 

It’s impossible to escape the atrocities reported in the media on an almost daily basis, whether it’s complex geopolitical events¹ such as the Russian occupation of Ukraine, terrorist attacks, human trafficking, or narcotics. All have a financial cost and are linked to financial flows, facilitation networks, and the risk areas of money laundering, terrorist financing, sanctions evasion, and proliferation financing.  
 
But while boards typically have the required expertise to manage the geopolitical environment and growing instability², your team’s ability to manage the threats and risks that result from increasing turmoil is vital to protecting your institution and its stakeholders from involvement in damaging events. 

More than ever, the financial crime compliance and risk management functions need to cooperate in an independent yet collaborative way: where weaknesses or gaps in organizational control frameworks persist, the probability of regulatory enforcement action is picking up³. Increasingly, data-led and technology-enabled supervisors are collaborating and developing more accurate approaches to drive their risk-based supervisory strategies, leaving no place to hide for financial institutions. 

While the direct impacts of penalties and the associated costs of transformation or remediations can be eye watering, markets have shown to react negatively, even to mere suggestions issues may exist. That in turn can affect business stability, making such a transition a necessity. Restrictions imposed because of weaknesses in your financial crime program can limit your ability to conduct business, including onboarding new customers, or even transacting. In the worst-case scenario, organizations can cease to trade. However, this is warranted given the dire effects financial crime can have on society and industry.  

Public intolerance to failure leading to reform

Given the severity of consequences for business and society, it's no surprise that public intolerance to failure is a key driver for reform in legal and regulatory frameworks.

While the anti-money laundering regime facilitates a ‘risk-based’ approach, the European Union is becoming more prescriptive⁴, leaving less to institutions’ interpretation and driving further transformation requirements. Other regions are also exploring ways to improve prioritization: the United States through its National Priorities⁵ and the United Kingdom through a similar approach touted by its economic crime plan⁶. There’s also an increasing potential for law enforcement to prosecute organizations that become entangled in economic crime. Their reach will extend beyond the ‘directing mind and will’ of the board, to consider more closely the day-to-day operational decision making.  

Taken together these pressures are driving a need for augmented governance and oversight arrangements to ensure decisions made are informed, traceable, and defensible. With this comes additional pressure to ensure your methodologies and framework of controls to identify, assess, and manage risk, and to report in a timely and effective manner, work today and are also future proof.  

While risk management and compliance has long been perceived as a cost center, maturing your capabilities and, if needed, risk sophistication can be a baseline for future survival. And with the right frameworks in place, it can even become a competitive advantage through which you can achieve safe and compliant growth, navigating what may be blind spots for others with your eyes wide open.

The laws and regulations driving change

• Enhancing corporate governance
  
  A key trend we observe is the maturation of corporate governance codes, for example the UK’s revisions led by the Financial Reporting Council (FRC) which came into effect in January⁷. The code requires directors to state in their annual report that they’ve carried out a robust assessment of the emerging and principal risks facing the company, including those that would threaten its business model, future performance, solvency, or liquidity. Most importantly, the recent amendments also require directors to explain how they’ve ensured that the company's risk management and internal control systems are effective and how they’ve monitored and reviewed them. This forms the basis for annual attestations and reporting. Firms have until 2026 to prepare.  
  
  
• Corporate Criminal Liability (CCL) and Offences (CCO) 
  
  Another notable development, particularly impacting financial institutions in the UK, are changes made to the ‘identification doctrine’⁸: the model through which a corporation is identified as being criminally liable for their involvement in ‘economic crimes’. Previously this test needed to show a serious crime was committed at the ‘directing mind and will’ of the organization, i.e. the board. This becomes particularly challenging where investigations involve more complex institutions, where many levels exist between directors and the day-to-day decision making and operations through which a ‘serious crime’ may have been committed. The Economic Crime and Corporate Transparency Act 2023, lowers the threshold by extending the model to include ‘senior managers’, who will likely be defined by their role and responsibilities, including managerial influence, as opposed to by title only.
  
  Together with existing failure to prevent offenses in the UK such as bribery (2010), the facilitation of tax evasion (2017), and the newly-introduced failure to prevent fraud offense (pending guidance to support), these changes are expected to sharpen boards’ focus on financial crime holistically and the need for senior managers to demonstrate the basis upon which they are asserting their effectiveness.  
  
  Guidance for the CCOs center around six key pillars, including top-level commitment, risk assessment, and proportionate risk-based controls. While we await published guidance for the failure to prevent fraud CCO, it’s widely expected this will align with the failure to prevent the facilitation of tax evasion guidance and to mount a defense of 'reasonable controls’.  

Helping your board meet evolving requirements 

Both sets of reforms provide triggers and opportunities for you to ‘kick the tires’ of your governance and reporting processes, to make your board’s transition to meet these evolving requirements and improve the effectiveness of your oversight and, in turn, confidence. Below we set out some suggested considerations. 

• Business-wide financial crime risk assessment
  
  You need to develop and document a comprehensive methodology for identifying, assessing, mitigating, and monitoring financial crime threats and risks. The BWRA is an important control and should, like other controls, be subject to ongoing maturation.
  
  Questions you should ask include:
  
  
  • Has your suggested methodology and approach to the assessment been through governance and been approved?  
  • How does your methodology align with other risk assessment frameworks across the business? Is it consistent and are the outputs translatable? 
  • Does your assessment only consider legal and regulatory requirements and could it be perceived as a gap analysis instead? This may fail to identify your full exposure to threats and risks. 
  • How will your risk assessment evolve to consider the forthcoming CCO for fraud? Is ‘lift and shift’ reasonable or will a more bespoke approach be required?  
  • Is the scope of your assessment complete? Does it include all applicable financial crime risk areas, risk categories, and relevant operations?
  • Do you consider both external and internal inputs into the inherent risk assessment? What sources do you consider?  
  • How do internal inputs from teams such as intelligence functions and investigations teams feed into the risk assessment process?  
  • How do you use your internal data while managing any challenges with data quality or completeness? 
  • How can you ensure the right balance between quantifiable and qualitative approaches? 
  • Do you have a standardized taxonomy for financial crime threats and risks that’s traceable and current? 
  • Do you have a trigger event framework that helps you to determine when to update your risk assessment?  
  • Do you have full lineage between threats, risks, and your control environment to defend design adequacy and scope? 
  • How do you approach the assessment of controls? Are you confident in the reliability, frequency, and granularity of your approach? 
  • How do you document your assessment to ensure rationale for decisions and actions are clear?  
  • Is your BWRA communicated effectively to all relevant stakeholders? 
  • What learnings have you taken from previous iterations? Were there any limitations identified to address?  
    
    
• Governance  
  • Ensure roles and responsibilities for financial crime compliance and risk management are clear at all levels of the organization, from the board to front-line staff. This helps identify gaps which may be unaccounted for, and ensures clarity, efficiency, and prevents intra-line friction.  
  • Put in place clear communication and escalation processes between senior financial crime leaders and the board, as well as other relevant committees or functions, such as audit, risk, or compliance.  
  • Ensure there’s ample provision for cross-functional engagement on priorities, e.g. financial crime committees and mechanisms for urgent matters to be escalated rapidly.  
    
    
• Reporting 
  • Build flexible and dynamic reporting frameworks.
  • Adopt a combination of key risk indicators (KRI) and key performance indicators (KPI) in your reporting. 
  • Define tolerances and reporting rules to enable timely escalations. Once things are flashing red, it might be too late. 
  • Put in place dynamic frameworks. For example, because politically exposed persons (PEPs) are seen as a regulatory risk, consider whether your board needs to be notified every month if exposures are within tolerance, or whether there are more pressing risks that need to be escalated.
  • Consider alternative ways of reporting, such as a thematic threat-led approach, which could help you prioritize your view of financial crime exposure and demonstrate alignment with the regulator's priorities.
  • Consider whether your assessment could be sliced to provide the required views for different stakeholders. For example, would it be easy to provide a report to a modern slavery working group on the range of related threats and the control mitigations you've put in place?

Building board confidence

As a senior financial crime leader, you have a key role in building board confidence through the financial crime framework you implement and operate. Your governance and reporting arrangements need to be operating effectively to facilitate the true potential of this control. Fundamental to your ability to communicate with your board and give them the required oversight of the effectiveness of arrangements in place is the financial crime business-wide risk assessment. 

You should consider whether siloed, static, or non-technical solutions remain fit for purpose for this exercise or whether a dynamic platform-based approach that can provide structured, high quality intelligence analysis and real-time risk views may better suit the reality of a rapidly evolving financial crime landscape.  

Certainly, the growing pressure on boards to make clear the basis upon which their statements are made, which can have material effects for the organization, together with the extended reach of legislation and regulators, should drive this question to the top of your agenda. The BWRA is often overlooked in maturity plans in place of downstream controls, but this is not only a solution to help manage risk, but rather a solution to help organizations chart their path towards achieving their strategic business objectives safely.  

Sources:
1. The world's spinning faster: geopolitics and financial crime in 2024, February 2 2024
2. The future of board governance, Global Network of Director Institutes, 2022 - 2023 Survey Report, 2023
3. Regulatory penalties in 2023: common compliance challenges, January 23 2024
4. New EU measures against money laundering and terrorist financing, March 28 2023  
5. Statement of FinCEN Director Andrea Gacki before the House Committee on Financial Services, February 14  2024 
6. Economic Crime Plan 2, 2023 - 2026, 2023
7. FRC publishes guidance for UK Corporate Governance Code 2024, January 29 2024 
8. Criminal Justice Bill: Pillar 2, “Protecting the public from serious and organised crime” , UK Home Office Impact Assessment , November 2023