Financial Crime Risk Assessment –

Guidance for Partners,

Brokers & Suppliers of Aviva

Why Complete a Financial What is a FCRA?

Crime Risk Assessment (FCRA) A FCRA is the cornerstone to effective
The FCA has revealed that regulated financial crime prevention. The process
entities are still not doing enough to of completing a FCRA includes the
identify, assess and tackle their financial identification, quantification and
crime risks within their business. documentation of the financial
crime risks for your business and
The FCA have advised that a
thus the construction and provision
‘Thorough understanding of a
of a sufficient framework for the
firm’s financial crime risk is key if
management of these risks.
a firm is to apply proportionate and
effective systems and controls… []…
It is important to remember that the
A firm should identify and assess
completion of a FCRA is not an exercise
the financial crime risks to which it is
to just identify and measure risk for the
exposed as a result of, for example,
sake of it; it is to ensure a business is
the products and services it offers,
equipped to determine the appropriate
the jurisdictions it operates in, the types
response to their financial crime risks.
of customer it attracts, the complexity
and volume of transactions, and the
distribution channels it uses to service How should a FCRA
its customers. Firms can then target be completed?
their financial crime resources on A FCRA should take into consideration
the areas of greatest risk’ all types of financial crime your business
[FCA – Financial crime: a guide for firm, is vulnerable to; these include but are
April 2015] not limited to
• Sanctions
Due to the recent focus from the • Fraud
FCA upon businesses’ financial crime
• Bribery and Corruption
risks Aviva have developed this set of
guidelines to assist our partners, brokers • Terrorist financing
and suppliers in the completion of a • Money laundering
FCRA for their business. • Market abuse
These Aviva guidelines are neither
advice nor a checklist to be used
prescriptively to mitigate financial
crime risks. We would recommend
consultation with your legal and
compliance department/contacts
to conduct and implement a FCRA.

J6860-RRDCG1174-0116.indd 1 25/01/2016 16:26

 Financial Crime Risk Assessment –
Guidance for Partners,
Brokers & Suppliers of Aviva
Your internal and external financial
crime risks should be identified based
on various reliable and accurate sources
of information. Sources you could utilise
include the Financial Action Task Force
or the National Crime Agency alerts.
It is your own firm’s responsibility
to ensure that all financial crimes
represented within your business
model are identified, articulated
and documented within the FCRA.
We would advise consideration to the
FCA’s self assessment questions to
assist in the completion of a FCRA.
These are stated below;
• What are the main financial crime
risks to the business?
• How does your firm seek to
understand the financial crime risks
it faces?
• When did the firm last update its
risk assessment?
• How do you identify new or
emerging financial crime risks?
• Is there evidence that risk is
considered and recorded
systematically, assessments are
updated and sign-off is appropriate?
• Who challenges risk assessments
and how? Is this process sufficiently
rigorous and well documented?
• How do procedures on the
ground adapt to emerging risks?
(For example, how quickly are
policy manuals updated and
procedures amended?)
J6860-RRDCG1174-0116.indd 2
However these above questions are
not exhaustive and should not be
used as such, there are various other
guidance documents available to
assist with a FCRA.
You should aim to take a holistic
approach to all financial crimes risks.
Controls implemented to mitigate
a risk in one area e.g. verification
of customers to mitigate money
laundering can also act as a control
to prevent fraud and ensure you have
accurate information for sanction
screening. You will also need to
consider the impact of your financial
crime risks, not only on the business,
but how these impact your customers.
The output of your FCRA should be
documented and highlight
• The financial crime risks which
impact on your business
• The controls you have in place
• Any gaps in current controls
Any recommended actions should
be agreed and authorised by
senior management.
25/01/2016 16:26
 Financial Crime Risk Assessment –
Guidance for Partners,
Brokers & Suppliers of Aviva
We have provided a template to assist
in documenting and recording the
outcomes of your FCRA.
What factors should we take into
account to complete a FCRA?
The four main factors to take into
consideration when completing a
FCRA are
• The jurisdiction you operate in
• Type of product and services
you provide
• The type of Client
• Distribution – the channels used
to service your customers and
the complexity and volume
of transactions
External sources which can assist
with the assessment of these factors
are Transparency International and
their Corruption perception index
(jurisdiction); the Egmont Group
(product); the Wolfberg Group
(customer and distribution). These are
not an exhaustive list of all external
sources which can be utilised.
What Risks should be identified
to complete a FCRA?
There are 2 types of risks that need to
be distinguished between to ensure an
efficient FCRA. These should be applied
to all financial crimes your business is
susceptible to.
J6860-RRDCG1174-0116.indd 3
They are;
• Inherent risk: The risk before
consideration of the mitigating effect
of any controls. Consideration of
inherent risk ignores the existence of
controls and makes no assumptions
about how effective such controls
are. Consider what adverse events
the business could be reasonably
exposed to by its’ activities before
mitigating controls are implemented.
• Residual risk: The risk of an inherent
risk after taking into account the
mitigating controls that have
been implemented.
When should a FCRA be
completed?
The FCRA is not a one off process; this
should be refreshed at regular intervals,
at least annually, to meet the needs and
requirements of your business model.
New products, customer profiles,
distribution channels or emerging risks
within external environments may
prompt you to refresh your financial
crime risks more frequently.
Any agreed upon actions from the
FCRA need to be implemented. New
systems, processes and policies should
be appropriately communicated to staff
ensuring they have an understanding
of the purpose of their implementation
and understand the role and/or
responsibilities they have to make
them effective.
25/01/2016 16:26
 Financial Crime Risk Assessment –
Guidance for Partners,
Brokers & Suppliers of Aviva

What tends to go wrong with At the other end of the spectrum an

businesses’ FCRA? inadequate FCRA could mean gaps in
There are a number of factors which controls are not successfully identified
are common pitfalls when completing leaving the business open to utilisation
a FCRA. These can include for financial crime, whether by data
theft, money laundering, terrorist
• Focus of the FCRA is too narrow,
financing or fraud.
only a few risks are addressed.
• The FCRA is completed as a one
Inadequate systems and controls to
off process; this is not refreshed on
combat financial crime could also lead
a regular basis.
to regulatory censure from the FCA
• There is too much focus on internal and businesses and staff to unwittingly
sources of information – external breach regulations.
sources of information are not utilised
to take into account the changing
climate of the wider world which
could impact on the products
they provide or the industries and
jurisdictions they operate in.
• Subsidiaries and branches can be
too reliant on a FCRA which is
completed at Group level, negating
to take into account the local Market
they operate within.

If the FCRA is inadequately completed

this can result in the implementation
of severe and strict controls which are
not proportionate to a business’s risk
profile. This could mean resource and
time are not used efficiently causing
an adverse impact on the business,
customers and staff.

RRDCG1174 01.16

J6860-RRDCG1174-0116.indd 4 25/01/2016 16:26