ResourcesPractical guidance and standards for financial crime compliance practitioners

The Wolfsberg Group (the Group) has encouraged Financial Institutions (FIs¹) and regulators to focus on effective outcomes in Financial Crime Risk Management (FCRM) using the Wolfsberg Factors:

1. Complying with financial crime laws and regulations;

2. Establishing a reasonable and risk-based set of controls to mitigate the risks of an FI being used to facilitate illicit activity;²

3. Providing highly useful information to relevant government agencies[^3] in defined priority areas.

The Group believes that Internal Audit (IA) can assist their FIs in the fight against financial crime by measuring FCRM outcomes using the Wolfsberg Factors and has developed these Principles, as a joint exercise between member banks’ second and third lines of defence, to provide FIs with a framework for such an assessment.

IA, an independent function within an FI, constitutes the third line of defence and should conduct independent audits[^4] in an objective, thorough, and impartial manner in line with professional standards (e.g. Institute of Internal Auditors). IA should adopt a risk-based approach (RBA) that is informed by applicable laws and regulations and the risks identified in the FI’s risk assessment.

IA plays an important role in assessing the comprehensiveness and effectiveness of the FCRM programme, validating that the programme is dynamic and covers all regulatory requirements in a thoroughly documented manner. IA should play an important role in confirming that an FI’s FCRM programme is focused on risk-relevant activities.

IA is responsible for assessing the effectiveness of (key) controls over the FI’s activities and entities[^5] and may focus on any aspect of their operations without any restriction. Further, IA should adopt an RBA that includes internal and external requirements (e.g. local regulations may have defined requirements).

IA should assess the effectiveness of the FI’s FCRM programme notably ensuring that policies and procedures take into account applicable rules, regulations, best practices, and guidance to foster effective operations, appropriately managed levels of risk exposure and the relevance and sustainability of the control framework. IA should also assess the FI’s awareness of risk and provide its conclusions on compliance leveraging its established audit methodology and expectations of professional practices. In order to fulfil its mandate, IA should conduct a periodic[^6] risk assessment to determine audit priorities for annual and/or multi-year audit plans. Following the completion of their audits, IA should issue conclusions in line with their methodology, which should include a standardised process to report, track, and escalate identified control deficiencies. Separately, IA should validate remedial actions to address control deficiencies and/or mitigation of the identified risk, including where issues have been raised by parties outside of IA (e.g. regulatory or self-identified issues).

IA can leverage these Principles to complement their existing audit methodology, while retaining their role as an independent review function. In doing so, IA will promote effective risk management and further support sound management of the FI’s FCRM programme. Furthermore, adherence to these Principles will support the effectiveness of the industry to detect, prevent and report financial crime.

Factor 1: Complying with Financial Crime Laws and Regulations

Complying with applicable laws and regulations is the foundation of an FCRM programme under FI Management responsibility and is the first of the Wolfsberg Factors. Consequently, IA activity should include a focus on the prescriptive requirements in law and regulation.

Principle 1

**As a baseline matter, IA should assess whether the FI can demonstrate that its governance documents [^7] address the requirements of all relevant local laws and regulations and assess that the FI has an effective set of controls to ensure adherence to these requirements. **

FIs should establish and maintain a baseline for managing the legal requirements for FCRM. These are the requirements that apply equally to all FIs that engage in similar activities or operate in the same jurisdiction(s).

Measures

**1.1. The FI can evidence that local financial crime laws and regulations have been addressed in the FI’s governance documents. **

This is an exercise performed by an FI either internally or with outsourced expertise. If an FI has decided to create a globally consistent policy that imposes a higher standard than what is required by local law or regulation, the higher standard should be used unless there is a conflict with local law or regulatory expectation. Certain jurisdictions may have higher or lower standards than group policy and IA should be positioned to assess each entity’s controls based on the standards applicable to the jurisdiction/function. In instances where local requirements deviate from global standards, a process to raise, oversee, and track those deviations should be implemented.

1.2. The FI can evidence that controls mapped to these elements of the governance documents are designed and operating effectively.

The basic principle is that FI management is responsible for managing financial crime risks through designing and implementing appropriate and sustainable controls, which are then subject to assessment by IA. FIs should be able to demonstrate that their assessment programme ties back to the requirements of local laws and regulations and meets the baseline regulatory requirements.

**1.3. The FI can evidence a sufficiently governed process to assess the adequacy of the FCRM programme in addressing regulatory requirements. **

The exercise, noted in 1.1, needs to be refreshed periodically or on a trigger basis, for example to incorporate regulatory changes. Any regulatory gaps should be identified, require action plans to remediate, and the remediation should fully address the identified gap. Oversight of these processes should be provided by an appropriate governance forum.

Factor 2: Establishing a Reasonable and Risk-Based Set of Controls

An FI must meet the risk management requirements contained in the prescriptive elements of law and regulation (Principle 1), as well as the principles-based elements of law and regulation (Principle 2). An FI must understand: (a) the financial crime risk inherent in its business strategy and operating model; (b) the expectations of its regulators; and (c) its own risk appetite. It is only with this full understanding, and with sufficient subject-matter expertise among all three lines of defence to build and maintain an effective risk-based FCRM programme, that an FI can then design a reasonable set of risk-based controls that are proportionate to the risks it faces and enable it to operate within its own risk appetite. In this manner, an FI reduces the risk of its products and services being used in furtherance of criminal activity, thereby fulfilling its role in protecting the integrity of the global financial system. This is the second of the Wolfsberg Factors.[^8]

Principle 2

**IA should evaluate whether the FI has a well-designed, reasonable and risk-based set of controls, and then assess the effectiveness of the controls. **

Financial crime risk and risk appetite vary by FI, which impacts the processes and controls an FI implements to mitigate these risks and operate within their risk appetite. FCRM is a dynamic area that requires the continuous application of sound risk management practices with prioritisation of resources and adequate funding to manage the risk in line with the risk appetite. The FI must have sufficient subject matter experts to build and operate a proactive, effective, risk-based FCRM programme.

In this context, the concept of ‘set of controls’ is meant to be inclusive of the FI’s FCRM internal control framework, however defined internally, including items such as risk appetite, policy, procedures, processes, and controls, designed to mitigate financial crime risk.

Measures

**2.1. The FI can evidence that its set of controls is designed to provide reasonable coverage that is proportionate to the risks identified in its risk assessment documentation.[^9] **

Judgment is required when determining how to apply control coverage in a manner that is reasonable and proportionate to the risk presented, and adapting that coverage under appropriate governance in response to a changing threat landscape and evolving regulatory expectation.

**2.2. The FI can evidence that the set of controls is effective. **

Together with Measure 1.2, these measures reflect the standard assessment of the defined controls performed by IA. Measure 1.2 demonstrates technical compliance with the prescriptive elements of law and regulation, while Measure 2.2. demonstrates compliance with the principles-based elements of law and regulation. While there is no requirement to map controls to each principle, an understanding of the difference may help an FI to identify opportunities to adjust its control strategy over time.

**2.3. The FI can evidence a sufficiently governed process for changes to its set of controls and that such governance gives appropriate consideration to financial crime risk. **

Making changes to an FI’s set of controls is a necessity to keep pace with evolving business strategies, laws, regulations, and financial crime threats. Additionally, enhancements to controls may be the result of ongoing assessment of control vulnerabilities, including the identification of ineffective or redundant controls. Changes may include extending and starting new control activities (e.g. those associated with a new product), or stopping, reducing, or redesigning existing control activities (e.g. those that are redundant or duplicative). IA independently reviews and validates changes to ensure appropriate governance processes were followed and to confirm that the FI retains a reasonable and risk-based set of controls, raising challenges as appropriate. As part of their assessment of the effectiveness of the set of controls, IA should also take the opportunity to highlight where controls are not producing the intended risk management outcome or are simply no longer relevant.

Factor 3: Providing Highly Useful Information

**The third Wolfsberg Factor focuses on an FI’s role in supporting law enforcement and relevant government agencies to keep their communities safe from harm through the provision of relevant information. **

It applies to information that an FI provides through regulatory reporting mechanisms, such as suspicious activity/transaction reporting,[^10] as well as collaborative mechanisms, such as government-sponsored information sharing partnerships with industry (i.e. Public-Private Partnerships (PPPs)). The emphasis here is the FI’s effectiveness in providing useful information that supports relevant government agencies’ efforts to keep communities safe from harm. In other words, it is about the quality and usefulness of the information shared rather than the existence of the information or purely technical compliance.

Principle 3

An FI may choose to establish quantitative and/or qualitative indicators relating to the sharing of highly useful information to relevant government agencies.

FIs may choose to define what they consider to be highly useful information and apply their own judgment in developing indicators that can be applied systematically across their information-sharing and reporting activities. This may include quantitative and qualitative indicators, and while it is recognised that such indicators are unlikely to provide an absolute measure of the usefulness of information provided to government agencies, they may be inferred to be indicative of the effectiveness of information sharing.

Understandable inherent challenges will remain in relation to obtaining feedback from government agencies for reports filed. FI indicators, if established, can provide information that allows IA and government agencies to assess an institution’s efforts to meet this Principle. If an FI chooses to develop these indicators then the following measures may assist in their maintenance and use.

Measures

**3.1. The FI may consider developing a credible and reasonable set of indicators upon which to assess its performance in providing highly useful information to relevant government agencies in defined priority areas. ** [^11]

The development and implementation of such indicators will be new for many FIs, their IA teams and their regulators, so initial assessment may need to focus on the necessary transformation effort itself. There is an opportunity for the industry to do further work to identify best-practices and promote consistency, where practical, in the most relevant indicators.

**3.2. The FI can evidence that it is collecting the indicators it has set for itself. **

FIs may consider establishing internal standards or guidelines for the collection of this form of management information. If the FI has established internal standards and guidelines, IA can use these to assess whether the FI is collecting the information in accordance to the standards and guidelines. This will help position the FI to have discussions with their regulators and law enforcement agencies on the effectiveness of this component of an FI’s FCRM programme and the balance of resources applied to achieving each of the three principles.

**3.3. The FI can evidence oversight through formal governance of its self-assessment on its provision of highly useful information to relevant government agencies. **

For example, an FI might include in its existing reporting to, and discussions with, the Board, highlights of how the FI has provided useful information to law enforcement with examples of how the information contributed to the social good of creating safer communities. This could enable an FI to understand the impact it is having in this important area of responsibility in which it invests substantial resource.

Conclusion

In setting out this framework, and associated Principles, the Group believes that IA can assist their FIs in the fight against financial crime to their best effect by measuring FCRM outcomes using the Wolfsberg Factors. In doing so, IA will not only promote effective FCRM within FIs, but equally support how supervisors may also seek to assess the effectiveness of their regulated entities and the industry as a whole.

[^3]: The term ‘government agencies’ includes those law enforcement and security agencies and authorities responsible for protecting their communities from the harms identified in FI reporting. [^4]: IA functions may undertake and express the results of their work in a variety of different ways, including publishing Audit Reports, undertaking Continuous Monitoring, raising Real-Time Issues, etc. [^5]: First and second lines of defence are also responsible for assessing the effectiveness of controls. [^6]: Industry standard is at least annually, per standard 2010.A1 of the International Standards for the Professional Practice of Internal Auditing as issued by The Institute of Internal Auditors. [^7]: The term “governance documents” includes policies and procedures at a minimum, further documentation will depend on how each FI has established its wider governance documentation requirements; this could include Standards, Guidance, Desktop Operating Instructions, technical user guides, amongst others. [^8]: See footnote 2. [^9]: This measure is the counterpart to Measure 1.1 above, which focused on the prescriptive requirements of law and regulation and incorporates the FI’s judgement-based requirements (e.g. interpreting what it means to have ‘a reasonable set of controls’, define a ‘risk appetite’, interpret ‘regulatory expectations’ and sets out what constitutes ‘suspicious activity’). [^10]: Of note, the effectiveness of an FI’s support to national security and foreign policy objectives may be evidenced through the absence of reporting to relevant government agencies, e.g. a lack of downstream interdictions, subpoenas or blocking of assets. [^11]: For more information on how to assess risk in defined priority areas, see The Wolfsberg Group Statement on Demonstrating effectiveness.

---

Footnotes

1. The term “FI” as used in the Principles and Measures is meant to refer to the first and second lines of defence as distinguished from the Internal Audit Function. ↩

2. The order of Factors Two and Three has been reversed when compared to the 2019 Wolfsberg Group Statement on Effectiveness. This provides a more coherent flow of the Factors as applied to an audit programme in this document. ↩