A.14.3.1 – Reasonable measures to prevent financial crime

Nov 6, 2025

The rules and principles which apply

In Section A.14.3 we outlined the regulatory considerations for determining proportionate and reasonable measures to prevent financial crime.

Whilst policies and procedures should be robust, they should be proportionate to the nature, scale and complexity of the firms’ activities and should include as a minimum:

Systems and controls enabling the firm to identify, assess, monitor and manage the risk of being involved in money laundering or fraudulent transactions; and
Staff training and awareness on how financial crime may arise and what they should do if they identify a suspicious transaction and/or suspect a crime has been committed.

We look at how reasonable controls may operate in practice below.

How this may affect firms.

Anti-Money Laundering

In terms of money laundering and terrorist financing, the Regulator does not consider general insurance intermediaries are at a high risk of ‘being used to further financial crime’. For this reason, the Regulator’s specific money laundering requirements do not apply.

However firms still have a duty (under SYSC 6.1.1), and a legal responsibility under the Proceeds of Crime Act and the Terrorism Act, to recognise and report suspicious transactions. This responsibility is covered in greater detail in Section A.14.4 (Financial sanctions) and Section B.18 (Financial crime and sanctions).

Although incidences of money laundering are rare within the general insurance industry, other types of financial crime, such as bribery and fraud, are more common.

Top Level Commitment

In Section A.14.3, we outlined what Senior Management arrangements firms should put in place relating to financial crime which, includes the need to allocate a prescribed responsibility to the most senior manager responsible for the firm’s policies and procedures for countering the risk that the firm might be used to further financial crime.

Typically, the oversight role includes:

Ensuring that the organisation has appropriate policies and procedures relevant to the nature and scope of financial crime risks the firm may be exposed to, this includes fraud prevention measures.
Communication and endorsement of the organisation’s stance on preventing financial crime, including mission statements.
Ensuring that there are clear escalation, response plans and investigation procedures in place, including responsibility for reporting fraud to relevant authorities.
Ensuring that there is clear governance across the organisation in respect of the financial crime prevention framework, including review of relevant metrics which may be key indicators of suspicious activity and horizon scanning in order to identify new or emerging financial crime risks.
Commitment to training and resourcing in relation to financial crime prevention.
Leading by example and fostering an open culture, where staff feel empowered to speak up if they encounter fraudulent practices (this will also be supported by the firms Whistleblowing Policy).

Risk Assessment

Firms should undertake a risk assessment to identify which areas of its operations are most vulnerable to financial crime and fraudsters and put in place appropriate defence controls to reduce exposure and mitigate fraud outcomes. The risk assessment should also take into account which parts of the business present greater risks of money laundering, terrorist financing or proliferation financing and the extent to which these risks are likely to be an issue for the firm. This risk assessment must inform the firms day-to-day operations, (for example, the level of customer due diligence you apply or your decisions about accepting or maintaining relationships).

Areas for consideration when completing the risk assessment should include factors such as:

Customer risk profile (or beneficial owners in commercial arrangements) including:
- company structures,
- political connections,
- involvement in public contracts,
- Financial stability (including source of wealth/funds),
- Any criminal history or know criminal associates,
- expected account use/activity, and
- geographical location,
Risks associated with products, services, activities, transactions, business lines including:
- delivery channel channels (e.g. internet, telephone, branches), and
- sector risk profile

It may not be possible to anticipate all potential financial crime risks that a firm may be exposed to at any given time, particularly as new forms of financial crime continue to emerge, however firms can take a proportionate approach to their assessment by considering:

Opportunity i.e. weak controls, inadequate oversight.
Motive i.e. impact to employees of financial stress, meeting targets, remuneration policies.
Rationalisation i.e. the types of financial crime which are relevant to the business sector, and the firm’s own financial crime prevention culture.

Firms should continually review the effectiveness of their controls for example adapting to new fraud threats or when new products and delivery channels are developed which may be more vulnerable to financial crime. It is our view that risks assessments should be completed annually where possible but not longer than every two years.

Firms may wish to use a combination of self-assessment questions and draw insight from the examples of good and poor practice published by the FCA when completing such assessments. Sources of information about potential risks including internal data analytics, compliance monitoring/internal audits and information from external sources i.e. fraud prevention organisations, trade bodies and consumer organisations can also provide useful insight when completing risk assessments and the latter should form part of the firm’s horizon scanning activity.

Note: – Large firms who are liable for prosecution under the new offence of failing to prevent fraud under the Economic Crime and Corporate Transparency Act 2023 (See Section A.14.3) will need to extend their existing risk assessments to include the risk of all potential frauds in scope of this offence and may also need to consider emergency scenario planning for those fraud events that may be considered to pose a significant risk to customers or market integrity.

Policy and Procedure

All employees should be provided with clear policies and procedures relating to financial crime systems and controls. We have developed a number of policy templates which firms may find useful in helping them to ensure they have appropriate policies in place as follows:

CORE 29 – Financial Crime Policy

CORE 30 – Anti Money Laundering Policy

CORE 16 – Financial Sanctions Policy

CORE 31- Fraud Policy

CORE 20 – Gifts, Inducements and Hospitality Policy

CORE19 – Anti Bribery and Corruption Policy

These policies must be fully personalised to reflect the financial crime prevention and control measures in place within the firm following appropriate risk assessment. It is also likely that financial crime defence controls may be included in a number of the firms’ policies and procedures across different activities and areas of responsibility as outlined in some of the sections below.

Ethical Behaviours

Fostering the right culture in terms of ethical behaviours is very important to financial crime prevention. The firms conflict-of-interest policy will likely support financial crime prevention by mitigating risks that expose the firm to unethical behaviours including the firm’s approach to remuneration which should not present a motive for financial crime or encourage staff to overlook financial crime controls in the pursuit of business targets.

Firms may also wish to support this with a Code of Conduct which sets out its expectation of employees in relation to the ethical behaviours expected under the COCON rules. We have included a sample Code of Conduct which firms may find useful at Document CTCF05

Escalation and Reporting

Financial crime response plans and investigation procedures should be in place to ensure that employees know how to seek help and support if they believe they have identified a financial crime risk or fraudulent activity and to know that such reports will be treated as confidential. Firms should have a nominated senior individual responsible for receiving and investigating reports of financial crime and making reports to external bodies where appropriate (including escalation of issues to the firms governing body).

Whistleblowing

If an employee has concerns or suspicions about the firm itself or individuals employed by the firm being involved in fraudulent activity, they should be able to make a protected disclosure under the Public Interest Disclosure Act (PIDA) 1998. Firms should have a Whistleblowing policy in place to protect any employee needing to make such a disclosure.

Training

It is important that all employees are aware of financial crime and how its various forms may impact their day-to-day roles. It is essential therefore that firms ensure that all employees receive training on how to identify and respond to suspected incidents of financial crime and how to support customers who have fallen victim to fraud. This training should be undertaken during the induction process and periodically (ideally annually) thereafter.

Firms should seek to ensure that the topic of financial crime remains on the ‘agenda’ with regular and consistent reminders of how important prevention measures are.

Firms should also consider how they ensure awareness and understanding of financial crime policies amongst those who provide services for or on its behalf. Where firms have appointed outsourcers or appointed representatives for example, communication of financial crime prevention measures should form part of the on-boarding process and subsequent monitoring activity.

Firms should also consider what can be done to foster a ‘fraud aware’ culture by for example:

Pointing out to employees the impact of fraud on colleagues, the business, the sector and on public trust.
Encouraging staff feedback and escalation.
Supporting staff by allowing appropriate time for anti-fraud measures to be properly observed i.e. in the sales process.
Sharing information on what is best practice on reducing fraud risks in the sector.

Staff Vetting

Firms can be exposed to insider fraud and one way of reducing this is to ensure that all staff go through a clear recruitment and vetting process. This may include credit checks, criminal record checks, assessing fitness and propriety and obtaining references. See Chapter G for more information on recruitment processes. The nature of the checks will usually depend on the role itself with higher risk or more senior roles subject to greater levels of vetting.

Segregation of Duties

A firm should segregate duties to avoid a single individual initiating, processing and controlling transactions (see Section C.2.3). At its simplest level this means, for example, that one individual should not be able to order goods, approve the invoice and write the cheque to settle the account. This can also include having approval and sign off procedures in place, where appropriate, through various reporting lines within the organisational structure

Clearly, some firms, particularly smaller firms, may find segregating duties impractical. Where it is not possible to segregate duties (for example a sole trader) the Regulator expects to see alternative controls in place, such as independent monitoring, for example, a review by the firm’s accountant.

Firms should also take into consideration how they identify where there is a risk that a relationship manager might become too close to customers to identify and take an objective view of financial crime risks and how it manages that risk effectively, for example having in place a policy for the disclosure of close relationships (which is also closely linked to the management of conflicts of interest).

Conduct of Business Processes

A firm’s sales processes can identify insurance proposals that may present a higher risk of being vulnerable to financial crime. Firms should therefore have in place robust sales policies and procedures which may include checklists and scripts to ensure that an appropriate fact find is completed to assess the risk and the suitability of the products available, this may involve carrying out certain customer due diligence including for example, credit checks, checking fraud databases and verifying customer identify where required. This also includes ensuring accurate records are maintained and taking advantage of aftersales customer contact to update due diligence information.

Where firms make use of technology i.e. via automated monitoring systems, they will need to ensure that they have fully considered how these have been selected, the scope and range of data that is used to take a holistic approach to assessing customer behaviour and how the outputs are calibrated and tested. This will include how firms respond to alerts i.e. when manual intervention is triggered and how results are fed back into the customer risk profile.

There may be cases where certain customers, products or transactions present a higher risk and firms should therefore consider what is proportionate and necessary in the circumstances, for example some firms may operate both a standard and enhanced due diligence process with the latter being triggered in certain circumstances, we provide an example of this within our CORE 30 – Anti Money Laundering Policy.

Data Security

A key risk for firms in combating financial crime arises from their IT security arrangements, in particular preventing unauthorised access to company systems and personal data. Firms will generally need to undertake a review of their IT systems and controls both from a viewpoint of data security and the risk that the firm could be used to further financial crime. Due to the specialist nature of IT risk some firms will have a dedicated IT function, in some cases firms may use outsource service providers and external specialists to help them with assessing their IT security risk, however some key risk questions for firms to consider are:

Are critical systems and data backed up, and do you test backup recovery processes regularly?
Are you able to restore services in the event of an incident?
Are network and computer security systems, software and applications kept up to date and regularly patched?
Do you make sure your computer network and information systems are configured to prevent unauthorised access?
How do you manage user and device credentials?
Do you ensure that staff use strong passwords when logging on to hardware and software? Are the default administrator credentials for all devices changed?
Is two-factor authentication used where the confidentiality of the data is most crucial?
How do you protect sensitive data that is stored or in transit?
Do you use encryption software to protect your critical information from unauthorised access?

Due diligence

Most firms operating in a regulated environment will already be undertaking a wide range of due diligence activities including staff, customers, agency arrangements, suppliers and any outsource or appointed representative arrangements.

Due diligence requirements should be clearly set out in a firm’s processes and procedures where relevant, for example the nature and scope of customer checks should be incorporated into the firms’ sales and administration processes, employee checks into HR processes etc.

Any firm involved in mergers and acquisitions should also ensure that they are appropriately considering fraud risks as part of the due diligence process.

Firms may also consider using appropriate technology, for example, third-party risk management tools, screening tools, internet searches, checking trading history or professional or regulated status if relevant, or vetting checks if appropriate.

The level and detail of the due diligence undertaken will differ greatly depending on the nature of any arrangement, for example the extent to which you undertake ‘know your customer’ checks will depend on the risk posed by the product and the customer themselves. Therefore, firms should ensure that any due diligence undertaken is tailored and specific to the nature of the arrangement and give consideration to the fraud risks that the relationship may expose them to.

It is also important when dealing with sub agents, contractors, third party suppliers, outsourcers, appointed representatives etc. that you review contracts to include appropriate obligations requiring compliance and ability to terminate in the event of a breach where appropriate.

We provide more guidance for firms on the topic of due diligence in Bulletin 378, however as suitable criteria for each due diligence activity may differ, firms who require specific guidance on due diligence for particular arrangements should contact our Technical Helpdesk for further information on support services available.

Management Information

To ensure that Senior Managers are kept appropriately informed of and can respond quickly and effectively to fraud risks, it is good practice for Management Information (MI) to be reviewed periodically. This can include reports such as compliance monitoring or audit reports, legal and regulatory developments, staff expenses, transactional data, quality monitoring and breach reporting etc.

Firms should also consider the impact of anti-bribery and corruption legislation when considering the exposure that the firms’ employees may have to the giving and receiving of inducements – most commonly in this scenario the giving/receiving of gifts and hospitality to any extent that it may lead to inappropriate/unfair decision making or acting in a way which is not in the customers best interests.

Governance

Best practice is for fraud prevention measures to be tested independently where possible. Firms who for example, have compliance functions who carry out periodic monitoring as part of the firm’s annual compliance plan, should consider what monitoring activity is appropriate and whether appropriate segregation of duties exist to avoid any conflict in providing a fair assessment of how effective the firms controls are in practice.

Many small firms will not have an independent audit function and as such it is for the firms governing body to determine what is required in terms of assurance activity. This will depend on the level of fraud risk the firm is exposed to, internal knowledge and expertise and its ability to segregate monitoring activity. Where a firm believes it may need external support in helping it to assess the appropriateness and effectiveness of its controls in any area, including financial crime, it could take a ‘critical friend’ approach for example utilising external consultancy services to help with implementation, risk assessment, testing etc.

The governing body of a firm must take a proactive approach to approving and ‘signing-off’ on the firm’s financial crime prevention measures, this is most likely to take place at the point new risk assessments are completed, however firms should note that financial crime investigation and response processes should ensure that the governing body is informed immediately of any significant fraud risks that could for example result in investigations by law enforcement or regulatory bodies, significant financial losses or reputational damage or that could cause widespread harm to customers or the markets in which the firm operates.

« Previous Next »

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

UKGI Compliance Manual

Compliance Manual