A summary of the FSA thematic review on Anti-bribery and Corruption Systems and Controls in Investment Banks

1. LexisNexis Red paper
A summary of the FSA thematic review
on Anti-bribery and Corruption Systems
and Controls in Investment Banks
By Mark Dunn
Market Planning Manager, Risk and Compliance
Business Information Solutions

2. Index
3 Introduction
4
Assessing bribery and corruption risk
5
Policies and procedures
6
Third party relationships and due diligence
7
Payment controls
8
Gifts and hospitality
9
Staff recruitment and vetting
9
Remuneration structures
10
Training and awareness
10
Incident reporting and management
11
Case studies
11
Assessing bribery and corruption risk
11
Looking ahead
LexisNexis has a world-class reputation for providing critical
business tools. For over 30 years we have been pioneers in
intelligence and risk management. As a digital pioneer, the
company was the first to bring legal and business information
online with its Lexis® and Nexis® services. Today, LexisNexis
harnesses leading-edge technology and world-class content to
help professionals work in faster, easier and more effective ways.
Our solutions are used internationally by financial services,
legal and accountancy firms and blue chip multinational
companies to enhance business decision making, fulfil regulatory
requirements and for premium information research.
LexisNexis serves customers in more than 100 countries
with 10,000 employees worldwide.

3. The following review will focus
on the consolidated examples of
good and poor practice highlighted
by the FSA.
In March 2012, the UK Financial Services Authority (FSA) published their thematic review
on Anti-Bribery and Corruption Systems and Controls in Investment Banks.
The thematic review was conducted between August 2011 and
January 2012. The FSA met with 15 firms in the UK including
global investment banks and smaller firms focused on
specialist investment banking business. All firms conducted
business with countries, sectors or types of clients that carried
potential risks of bribery and corruption.
Overall, despite the high profile of the issue, the
investment banking sector has been too slow and too
reactive in managing bribery and corruption risks.
Tracey McDermott, Acting Director
Enforcement and Financial Crime Division
Prior to meeting firms, the FSA also consulted with a number
of stakeholders including the Serious Fraud Office, the Serious
Organised Crime Agency, the Ministry of Justice, the British
Bankers’ Association and Transparency International. The FSA’s
findings are highly critical of banks’ anti-bribery and corruption
systems and controls.
The FSA emphasizes that, despite focusing specifically on
a selection of investments banks:
“We expect regulated firms in all sectors to consider our findings
and examples of good and poor practice, as they may also be
relevant to firms in other sectors which are subject to our financial
crime rules in SYSC 3.2.6R or SYSC 6.1.1R.”
This point is reinforced by reminding authorised firms of the FSA’s
obligations under The Financial Services and Markets Act 2000 to:
• Reduce the extent to which it is possible for a financial
business to be used for a purpose connected with financial
crime because bribery and corruption are financial crimes;
and
• Maintain market confidence, because bribery and
corruption distorts competition and could affect the
UK financial market’s reputation.
Page 3

4. ABC systems and controls in investment banks
Examples of good and poor practice
Assessing bribery and corruption risk
Examples of Good Practice
Examples of Poor Practice
• Responsibility for carrying out a risk assessment and keeping
it up to date is clearly apportioned to an individual or a group of
individuals with sufficient levels of expertise and seniority.
• The risk assessment is a one-off exercise.
• The firm takes adequate steps to identify the bribery and
corruption risk, for example by using a range of expertise
from both within and outside the business.
• Risk assessment is a continuous process based on
qualitative and relevant information available from internal
and external sources.
• Efforts to understand the risk assessment are piecemeal
and lack coordination.
• Risk assessments are incomplete and too generic.
• Firms do not satisfy themselves that staff involved in risk
assessment are sufficiently aware of, or sensitised to,
bribery and corruption issues.
• Firms consider the potential conflicts of interest which
might lead business units to downplay the level of bribery
and corruption risk to which they are exposed.
• The ABC risk assessment informs the development of
monitoring programmes; policies and procedures; training;
and operational processes.
• The risk assessment demonstrates an awareness and
understanding of firms’ legal and regulatory obligations.
• The firm assesses where risks are greater and concentrates its
resources accordingly.
• The firm considers financial crime risk when designing new
products and services.
Page 50. FSA March 2012. Proposed new guidance is bold.
LexisNexis view
An awareness of a third party’s true risk profile is essential and therefore
the resources used to conduct enhanced due diligence are critical.
If the risk profile is “flattened” and all clients are treated equally the risks
are hidden and the ability to speed through some clients and focus
more on higher risk clients is lost.
Accessing the breadth and depth of global data needed to do this
effectively in a single platform ensures comprehensive checks can be
performed quickly and appropriate risks managed.
With the UK Bribery Act 2010 coming into force and active
enforcement of the US Foreign and Corrupt Practices Act, it is
also important that risk assessment criteria reflect corruption
risk indicators. The FSA’s focus on PEPs and their potential link to
corruption will undoubtedly increase going forward.
A structured and consistent approach to risk scoring based on recognised
standards is essential. An audit trail of all decisions taken and the due
diligence research performed to make those decisions helps to ensure
the ABC process covers all the checks and balances required for future
monitoring and review.
This means consistent access to archived data is key as trying to retain
simple web links often means news and other online information are lost
as websites update and refresh their content, thereby putting the integrity
of the regulatory audit trail at risk.
An effective approach to simplified and enhanced due diligence
requires access to comprehensive research information quickly and
in a cost-effective manner.
Company data may be readily available in the UK but finding this
type of information in emerging markets deemed a higher risk can be
expensive and difficult to obtain. Licensed PEP lists are useful but not
comprehensive enough (according to the latest FSA review), therefore
broader media checks are also needed. LexisNexis relies on licensed,
indexed, archived data to ensure results remain consistent. Our archive
now stretches back over 35 years, facilitating extensive due diligence
checks with a robust audit trail included as standard.
Page 4

5. ABC systems and controls in investment banks
Examples of good and poor practice
Policies and procedures
Examples of Good Practice
Examples of Poor Practice
• The firm clearly sets out the behaviour expected of those
acting on its behalf.
• The firm has no method in place to monitor and assess staff
compliance with ABC policies and procedures.
• Firms have conducted a gap analysis of existing ABC
procedures against applicable legislation, regulations and
guidance and made necessary enhancements.
• Staff responsible for the implementation and monitoring
of ABC policies and procedures have inadequate expertise
on ABC.
• The firm has a defined process in place for dealing with
breaches of policy.
• The financial crime/compliance team engage with the
business units about the development and implementation
of ABC systems and controls.
• ABC policies and procedures will vary depending on a firm’s
exposure to bribery and corruption risk. But in most cases,
firms should have policies and procedures which cover
expected standards of behaviour; escalation processes;
conflicts of interest; expenses, gifts and hospitality; the use
of third parties to win business; whistleblowing; monitoring
and review mechanisms and disciplinary sanctions for
breaches. These policies need not be in a single ‘ABC policy’
document and may be contained in separate policies.
• There should be an effective mechanism for reporting
issues to the ABC committee or compliance.
Page 51. FSA March 2012. Proposed new guidance is bold.
LexisNexis view
Keeping the compliance team and key staff updated with changing risk indicators and regulator
expectations needn’t be a costly and cumbersome exercise.
The onset of poor practices is more common when resources are
tight and adequate support is not offered to the compliance function.
LexisNexis works with thousands of financial institutions of all sizes,
offering scalable solutions that meet the needs and budgets of most
organisations. Increasingly organisations are being more selective
in their use of different training materials and technology to deliver
updates to staff.
LexisNexis supports this by separating PEPs into the relevant
categories to ensure only the most relevant matches are delivered.
Domestic PEPs can be switched on or off as needed, however there
is a growing trend to include them as standard.
When multiple systems are deployed gaps in the ABC process can
be unavoidable. We help our clients ensure they have a consistent
end-to-end process based on a single platform.
Training and tutorials that are targeted to the requirements of specific
personnel and the risks they manage can be delivered via short
webinar updates and supplements to the comprehensive training
undertaken by staff when they join the firm. For example, the definition
of a PEP is not consistent across all jurisdictions so it is key that careful
attention is given to this area.
Page 5

6. ABC systems and controls in investment banks
Examples of good and poor practice
Third party relationships and due diligence
Examples of Good Practice
Examples of Poor Practice
• Where third parties are used to generate business, these
relationships are subject to thorough due diligence and
management oversight.
• A firm using intermediaries fails to satisfy itself that those
businesses have adequate controls to detect and prevent
staff using bribery to generate business.
• Third party relationships are reviewed regularly, and in
sufficient detail, to confirm that they are still necessary and
appropriate to continue.
• The firm fails to establish and record an adequate
commercial rationale for using the services of third parties.
• There are higher, or extra, levels of due diligence and approval
• The firm is unable to produce a list of approved third parties,
associated due diligence and details of payments made
to them.
• There is appropriate scrutiny of, and approval for, relationships
with third parties that introduce business to the firm.
• There is no checking of compliance’s operational role in
• The firm’s compliance function has oversight of all third party
relationships and monitors this list to identify risk indicators, eg
a third party’s political or public service connections.
• A firm assumes that long-standing third party relationships
present no bribery or corruption risk.
• Evidence that a risk-based approach has been adopted to
• A firm relies exclusively on informal means, such as staff’s
personal knowledge, to assess the bribery and corruption
risk associated with third parties.
• Enhanced due diligence procedures include a review of the
• No prescribed take-on process for new third
party relationships.
• Consideration, where appropriate, of compliance
involvement in interviewing consultants and the provision
of anti-corruption training to consultants.
• A firm does not keep full records of due diligence on
third parties and cannot evidence that it has
considered the bribery and corruption risk associated
with a third party relationship.
• Inclusion of ABC-specific clauses and appropriate
protections in contracts with third parties.
• The firm cannot provide evidence of appropriate checks to
identify whether introducers and consultants are PEPs.
for high risk third party relationships.
identify higher risk relationships in order to apply enhanced
due diligence.
approving new third party relationships and accounts.
third party’s own ABC controls.
• Failure to demonstrate that due diligence information in
another language has been understood by the firm.
Page 52. FSA March 2012. Proposed new guidance is bold.
LexisNexis view
A primary goal for the compliance function is to have a consistent approach to onboarding
which ultimately improves customer service and provides a competitive edge.
By auditing the local and international systems used for third party due
diligence, the business is able to demonstrate consistent compliance.
Risk solutions from LexisNexis enable approval of new third parties at
the appropriate level and escalation to senior management for review
when needed.
All information gathered on an entity can be collated into one file and
forwarded together with any notes, providing an efficient and auditable
review process. A separate file is created for all PEPs and high risk entities,
making closer ongoing monitoring straight forward and routine.
It is possible to allow Business Managers minimal “privileges” and for
any red flags to automatically drive escalation to Compliance, ensuring
an appropriate risk-based approach at each stage.
Using PEP databases in isolation is not sufficient and broader news
checks are needed to clearly identify associations and other high risk
indicators. Building an end-to-end workflow that looks across broader
data sets also ensures ongoing monitoring is regular and efficient.
By seamlessly combining the initial onboarding process with an ongoing
monitoring process, all alerts can be handled in the same manner and
a consistent approach is guaranteed.
Page 6

7. ABC systems and controls in investment banks
Examples of good and poor practice
Payment controls
Examples of Good Practice
Examples of Poor Practice
• Ensuring adequate due diligence on and approval of third party
relationships before payments are made to the third party.
• Failing to check whether third parties to whom payments
are due have been subject to appropriate due diligence
and approval.
• Risk-based approval procedures for payments and a clear
understanding of the reason for all payments.
• Checking third party payments individually prior to approval, to
ensure consistency with the business case for that account.
• Regular and thorough monitoring of third party payments to
check, for example, whether a payment is unusual in the
context of previous similar payments.
• Failing to produce regular third party payment schedules
for review.
• Failing to check thoroughly the nature, reasonableness and
appropriateness of gifts and hospitality.
• No absolute limits on different types of expenditure,
combined with inadequate scrutiny during the
approvals process.
• A healthily sceptical approach to approving third party payments.
• Adequate due diligence on new suppliers being added to the
Accounts Payable system.
• Clear limits on staff expenditure, which are fully documented,
communicated to staff and enforced.
• Limiting third party payments from Accounts Payable to
reimbursements of genuine business related costs or
reasonable hospitality.
• Ensuring the reasons for third party payments via Accounts
Payable are clearly documented and appropriately approved.
• The facility to produce accurate MI to assist effective
payment monitoring.
Page 53/54. FSA March 2012. Proposed new guidance is bold.
LexisNexis view
Implementing consistent and robust procedures for handling payments to third
parties is an essential part of an ABC process.
The FSA stresses the importance of having in place effective due
diligence and associated approval processes before a third party is
entered into the Accounts Payable system. Clearly documented,
communicated and acknowledged limits on staff expenditure are also
highlighted by the FSA as an example of good practice, enabling staff
to know exactly what is allowable and to drive consistent and ethical
payment behaviour. In addition, a thorough audit trail should be a
prerequisite for any Accounts Payable process. Enabling Compliance to
be able to follow the paper trail is critical should a suspicious payment
require further investigation or to allow the firm to simply demonstrate
to supervisory authorities examples of what payments were made and
why to a particular third party. This should be supported by regular
reviews and ad hoc spot checks to ensure the payment controls in place
continue to remain robust and appropriate to the firm’s business and
its risk-based approach to anti-bribery and corruption. Such reviews,
accompanied by effective management intelligence, will also enable the
firm to identify and consider potential improvements in the payment
process bringing valuable benefits to the overall business.
Page 7

8. ABC systems and controls in investment banks
Examples of good and poor practice
Gifts and hospitality
Examples of Good Practice
Examples of Poor Practice
• Policies and procedures clearly define the approval process
and the limits applicable to G&H.
• Senior management do not set a good example
to staff on G&H policies.
• Processes for filtering G&H by employee, client and type
• Acceptable limits and the approval process are not defined.
of hospitality for analysis.
• Processes to identify unusual or unauthorised G&H and
deviations from approval limits for G&H.
• The G&H policy is not kept up to date.
• G&H and levels of staff compliance with related policies
are not monitored.
• Staff are trained on G&H policies to an extent appropriate
to their role, in terms of both content and frequency, and
regularly reminded to disclose G&H in line with policy.
• No steps are taken to minimise the risk of gifts
going unrecorded.
• Cash or cash-equivalent gifts are prohibited.
• Failure to record a clear rationale for approving gifts that
fall outside set thresholds.
• Political and charitable donations are approved at an
appropriate level, with compliance input, and subject to
appropriate due diligence.
• Failure to check whether charities being donated to are
linked to political causes.
Page 55. FSA March 2012. Proposed new guidance is bold.
LexisNexis view
Given all the media attention focused on corporate hospitality and the UK Bribery Act,
it is critical that firms have in place a very clear gifts and hospitality policy.
Of all the issues leading up to the enactment of the Bribery Act, gifts
and hospitality (G&H) received the most attention. The FSA stresses
the need for a gifts and hospitality (G&H) policy that is “proportionate,
unambiguous and effectively implemented”. Firms need to remember
that if a case of suspected bribery or corruption is brought to court,
they may need to be able to clearly articulate what their G&H policy is
and why, what could be perceived by some as lavish, hospitality
is acceptable within the market in which they operate. It is important
to be able to demonstrate how management leads by example on
appropriate G&H standards. Firms should also clearly define G&H
limits, implement approval and monitoring processes and be wary
of their approach to political and charitable donations.
Page 8

9. ABC systems and controls in investment banks
Examples of good and poor practice
Staff recruitment and vetting
Examples of Good Practice
Examples of Poor Practice
• Vetting staff on a risk-based approach, taking into account
financial crime risk.
• Failing to carry out repeat checks to identify changes that
could affect an individual’s integrity and suitability.
• Enhanced vetting – including checks of credit records,
criminal records, financial sanctions lists, commercially-
available intelligence databases– for staff in roles with
higher bribery and corruption risk.
• No risk based processes for identifying staff who are PEPs
or connected to PEPs.
• Conducting periodic checks to ensure that agencies are
complying with agreed vetting standards.
• Where employment agencies are used to recruit staff, failing
to demonstrate a clear understanding of the checks these
agencies carry out on prospective staff.
• Temporary or contract staff receiving less rigorous vetting then
permanently employed colleagues carrying out similar roles.
Page 55. FSA March 2012. Proposed new guidance is bold.
LexisNexis view
Although ABC due diligence often focuses on sales agents and other third party business partners, it is
important to ensure that the risk of employees committing bribery is also being adequately mitigated.
Most firms visited had employee screening covering areas such as
previous employment, credit and criminal records checks. In some
cases, enhanced employee screening is conducted against sanctions,
negative news, PEP and specialist fraud databases like CIFAS. However,
the FSA reminds firms to consider which employees pose the higher risk
when conducting checks, and not just to apply to senior personnel.
The use of outsourced agencies to conduct employee vetting was
highlighted by the FSA and their expectation that firms have a good
understanding of the types of checks such providers conduct. The
FSA also recommends firms undertake periodic checks to ensure that
outsourced employee screening agencies are complying with agreed
vetting standards.
Remuneration structures
Examples of Good Practice
Examples of Poor Practice
• Remuneration takes account of good compliance behaviour,
not simply the amount of business generated.
• Failing to reflect poor staff compliance with anti-bribery
and corruption policy and procedures in staff appraisal
and remuneration.
• Identifying higher risk functions from a bribery and
corruption perspective and reviewing remuneration
structures to ensure they do not encourage risk taking.
Page 55. FSA March 2012. Proposed new guidance is bold.
LexisNexis view
Firms should be fully aware of the FSA Renumeration Code, its relevance to their business
and review the Code in light of the Bribery Act.
Firms need to be wary of implementing payment schemes which
reward staff for taking unacceptable risks that could lead to bribery and
corruption. The FSA reminds firms of the standards that banks, building
societies and some investment firms must adhere to under the FSA
Remuneration Code. The majority of firms sampled had not reviewed
this Code in light of the Bribery Act. Instead, most firms relied on the staff
appraisal process to address adherence to firm ethics and compliance.
Page 9

10. ABC systems and controls in investment banks
Examples of good and poor practice
Training and awareness
Examples of Good Practice
Examples of Poor Practice
• Providing good quality, standard training on anti-bribery and
corruption for all staff.
• Failing to provide training on ABC that is targeted at staff with
greater exposure to bribery and corruption risks.
• Ensuring training covers relevant and practical examples.
• Failing to monitor and measure the quality and
effectiveness of training.
• Keeping training material and staff knowledge up to date.
• Awareness raising initiatives, such as special campaigns
and events to support routine training, are organised.
Page 55. FSA March 2012. Proposed new guidance is bold.
LexisNexis view
Ensuring staff understand and apply the firm’s ABC policy is critical. To be most effective, ABC training
should be tailored to reflect the firm’s culture, business model and risk-based approach.
Unsurprisingly, the methods of training adopted by firms varied
according to the size of the organization. However, the FSA emphasizes
the need for firms to develop more tailored training aligned to their
risk-based approach. The FSA points out that many firms had not
considered ABC training before the Bribery Act and “therefore had
not met their regulatory obligations”. The importance of keeping training
material and staff knowledge up to date is one of several examples of
good practice highlighted by the report. Failing to monitor and measure
the quality and effectiveness of training is considered a weakness.
Incident reporting and management
Examples of Good Practice
Examples of Poor Practice
• Clear procedures for whistleblowing and the reporting of
suspicions which are communicated to staff.
• Failing to maintain proper records of incidents
and complaints.
• Details about whistleblowing hotlines are visible and
accessible to staff.
• Where whistleblowing hotlines are not provided, firms
should consider measures to allow staff to raise concerns
anonymously, with adequate levels of protection and
communicate this clearly to staff.
• Firms use information gathered from whistleblowing and
internal complaints to assess the effectiveness of their
ABC policies and procedures.
Page 55. FSA March 2012. Proposed new guidance is bold.
LexisNexis view
Firms must have effective procedures for reporting and escalating bribery and corruption concerns.
The FSA assessed firms’ processes covering complaints, reporting and
whistleblowing. There were no serious failings uncovered in internal
reporting procedures, with staff often aware of such processes from
their ABC training. However, firms are reminded of the importance of
maintaining proper records of reported incidents and complaints.
Page 10

11. ABC systems and controls in investment banks
Examples of good and poor practice
Case studies
The FSA review also includes a number of case studies highlighting areas that concerned the FSA
during their onsite visits. The case studies include anonymised examples of failings in a number of
ABC systems and controls. Selected examples include:
Assessing bribery and corruption risk
Subjective perception
Quality of training
• Some firms had selected business units
• It is important for firms to be able to
assess the quality and adequacy of
their training.
based on either a subjective perception
of corruption risk or preference, rather
than an informed decision based on
objective criteria.
• Three large firms had not completed
a full bribery and corruption risk
assessment. Furthermore, two of
them had determined that bribery
and corruption was high risk for their
business but had not identified where
or what the highest risks were.
Page 17. FSA March 2012.
Levels of expertise
• A large firm said that multiple
test failures were very rare
domestically but not uncommon
in foreign branches and subsidiaries,
due to language barriers. This
suggeststheir training for overseas
staff was ineffective.
Page 44. FSA March 2012.
• We expect responsibility for carrying out
a risk assessmentand keeping it up to
date to be clearly apportioned to an
individual or a group of individuals with
sufficient levels of expertise and seniority.
• One large firm had not assigned
specific responsibility for oversight
of risk assessment to an individual or
group of individuals; rather, it was left
to individuals responsible for
conducting due diligence, although
where risks were identified, these
would be referred to compliance. We
were concerned that, while the level
of risk involved in specific business
transactions was assessed, the firm
had an incomplete view of the extent
of its bribery and corruption risk.
Page 19. FSA March 2012.
Looking ahead
Unsurprisingly, given the failings identified and highlighted in the report,
the FSA press release hinted at possible future enforcement action
being taken against some of the 15 firms sampled. The FSA also issued a
consultation paper inviting comments on the proposed amendments to
their Financial Crime: A guide for firms to incorporate the wealth of new
material gathered during the thematic review.
The FSA is considering whether further regulatory action is
required in relation to certain firms in its review. … The FSA and,
from next year, the Financial Conduct Authority will continue
to focus on financial crime risks in this sector and beyond to
ensure firms are meeting their legal and regulatory obligations.
Tracey McDermott, Acting Director, Enforcement
and Financial Crime Division
Page 11

12. How LexisNexis helps organisations comply
LexisNexis Risk solutions can protect your business in a number of ways – we simplify the compliance
process, we reduce the related costs and we enable an effective risk based approach based on the right
information at the right time. Our fast, intuitive solutions do not require any additional IT investment or training.
All searches are time and date stamped providing you with the audit trail you need for the regulator.
Manage enhanced due
diligence checks on new
and existing customers
Conduct ongoing
screening of existing
customers
Monitor high risk
customers across
the media
Search on a company, individual or country
through our online due diligence solution. Lexis
Diligence searches global news and business
information, sanctions and PEPs delivering
accurate and relevant matches immediately.
Results can be saved, printed or put into a
report to enable a decision to be made on
whether to progress the relationship.
Monitor customers and other third-parties
through LexisNexis Bridger Insight. Stay
compliant and safeguard your organisation’s
reputation by regularly monitoring high risk
customers in case their status changes, as per
your risk-based approach.
Monitor news across all key media on your
high risk third parties through your own early
warning system.
Be confident that your decisions are based
upon content you can trust, and save valuable
time with account opening or third party due
diligence checks.
Lexis Diligence is used by the world’s top five
banks, law firms and blue chip companies
to mitigate risk every day. Achieve a
competitive advantage by speeding up the
client acceptance process whilst maintaining
necessary controls.
Simply upload all the customers you need to
monitor to LexisNexis Bridger Insight. You can
screen as many companies and individuals
as you need in one transaction. The list will be
screened against our global sanctions, watch
lists and PEP data and the results file returned
for review. Any matches are clearly highlighted
so that you can choose which alerts would
merit further investigation in Lexis Diligence.
Our superior fuzzy-name matching algorithm
ensures better matches saving you valuable
time and money investigating irrelevant results.
t. +44 (0) 845 370 1234
e. risk@lexisnexis.co.uk
w. www.lexisnexis.co.uk/risk
Fuzzy matching is not used, ensuring you
only get the relevant results you need to
see. Automated monitoring enables you to
anticipate and mitigate any financial and
reputational risks to protect your organization.
Using a unique mix of multi-lingual data
mining and sentiment analysis techniques,
supplemented by our in-house analysts’
expertise, LexisNexis Analytics automatically
monitors internal, online and press coverage
through a single interface.
LexisNexis Analytics can also be used to
monitor competitor movement, partner’s
reputations and key customers and suppliers,
arming you with invaluable insight.