Checklist

Fraud Controls

1
Combatting fraud is a time- and resource-intensive challenge for financial institutions, and currently a
topic of high priority for governments, legislators and supervisors such as the Financial Conduct Authority
(FCA) and the Payment Systems Regulator (PSR). Given the scale of the problem and the constant stream
of new requirements and regulatory guidance, working out how best to tackle the threat can be daunting.
FINTRAIL has reviewed the FCA’s most recent “Dear CEO letters” (March 2023 and March 2024) and its
latest publications on fraud (Anti-Fraud Controls and Detecting and Preventing Money Mules), recent PSR
publications, relevant parts of the FCA’s Financial Crime Guide, and JMLSG Guidance, to create this fraud
assurance checklist to help ensure that your anti-financial crime framework is primed and prepared for the risks
it faces.

1 Risk Assessment and Risk Appetite

Yes No

Does the firm have a clear picture of what parts of the business are targeted
by fraudsters, such as which products, services and distribution channels are
vulnerable?

Is fraud risk included in the firm's business-wide risk assessment, or covered in a

dedicated standalone fraud risk assessment?

Does the firm understand the threats and typologies it may be exposed to
relating to fraud such as authorised push payments or money mules?

Does the firm frequently review its internal risk appetite statements to ensure
that these adequately address the risks of fraud?

Are systems and controls to detect and prevent fraud coordinated across the
firm, with resources allocated on the basis of an assessment of where they can
be used to best effect?

Is there a process in place to identify and monitor new fraud typologies?

2 Governance and Management Information (MI)

Yes No

Has the firm assigned a risk owner to fraud and if the risk / control and if shared
across the business, are those responsibilities clear?

Are senior management frequently provided with updated information and

statistics on the fraud trends the firm faces, including fraud exposure and the
effectiveness of prevention measures in place?

Does the firm ensure that fraud losses are accounted for clearly and separately
to other losses?

Does the firm proactively prioritise the mitigation of fraud when reported fraud
levels increase?

2
Does the firm analyse fraud trends and use this information to inform its risk
assessment and transaction monitoring?

Is the firm able to provide evidence of an overall anti-fraud approach being

discussed, challenged and overseen at a committee / board level?

Does the firm produce sufficient MI to fulfil its regulatory reporting obligations
related to fraud reporting?

Does the firm have a process in place to respond to reported fraud increases?

Is the firm's fraud and complaints team adequately staffed to deal with
customers fraud complaints and fraud?

Is the firm able to produce MI on refunds issued and total costs?

3 Policies and Procedures

Yes No

Has the firm developed and documented its fraud risk management
framework?

Does the firm frequently review its internal policies and procedures to ensure
that these adequately address the risks of fraud?

Are the firm’s fraud policies and procedures easily accessible to all employees?

Does the firm have in place a definition of ‘gross negligence’ and ‘vulnerable
customers’?

4 Customer Due Diligence

Yes No

Does the firm sufficiently know who their customers are to guard against fraud,
including impersonation fraud?

Does the firm hold and maintain appropriate customer due diligence controls at
the onboarding stage and on an ongoing basis to identify and prevent accounts
being used to receive proceeds of fraud or financial crime?

Does the firm hold and maintain appropriate customer due diligence controls
at the onboarding stage and on an ongoing basis to identify customers who may
be susceptible to fraud?

3
Does the firm have sufficient measures in place, through sufficient training,
resources or third party technology, to ensure documents provided are genuine
and not forged or counterfeit either?

When processing applications, does the firm consider whether the information
the applicant provides is consistent? (For example, is declared income
believable compared with stated employment?)

Does the firm’s customer risk assessment look at customer risk from a victim of
fraud and a perpetrator of fraud perspective?

5 Enhanced Due Diligence

Yes No

Does the firm apply enhanced due diligence to customers who are believed /
deemed to be facilitating fraudulent activity?

Does the firm apply stricter fraud controls to customers presenting a higher
risk of fraud?

Case study: Review of fraud controls

Context:
FINTRAIL was engaged by a cross-border money transfer business to conduct a review of its fraud controls
and provide recommendations for suggested programme enhancements to help the client scale safely.

Solution:
FINTRAIL conducted a desktop review of the client’s financial crime documentation and held a series of
workshops to understand the firm’s specific fraud risks and fraud-related controls.

Our final report made observations on areas of good practice and provided actionable recommendations
for areas of improvement by theme (onboarding controls, transaction monitoring, risks, governance). These
included implementing a customer risk assessment methodology that reflects fraud risk; defining a fraud
specific risk appetite; scaling governance and oversight operations in line with business growth, technical
enhancements to the onboarding process and new inputs into the transaction monitoring system.

Outcomes:
• The client was able to gain reassurance surrounding its existing controls and risk level, giving it the confidence
to consider moving forward with its expansion plans.
• The client was able to benchmark its current controls against best practice and to identify areas for
improvement and new technical capabilities to enforce the key control areas of onboarding and transaction
monitoring.

4
 6 Anti-Fraud Systems and Controls
Yes No

Has the firm appropriate systems and controls in place to detect and prevent
fraud used for onboarding and transaction monitoring?

Has the firm developed a methodology ensuring the right parameters have
been set and these are aligned with the firm’s risk appetite?

Does the firm’s fraud control framework, including investigations and claims
handling, comply with the PSR’s new reimbursement requirement?

Is the firm clear on what is meant by “consumer standard of caution”?

7 Customer Screening
Yes No

Does the firm screen its customers and associated third parties (when
appropriate) against adverse media related to fraud?

Does the firm screen its customers and associated third parties (when
appropriate) against warning or enforcement lists, published by domestic and
international law enforcement agencies or competent authorities, related to
fraud?

Does the firm screen its customers and associated third parties (when
appropriate) against anti-fraud databases such as CIFAS?

8 Transaction Monitoring
Yes No

Does the firm’s transaction monitoring system include fraud specific rules?

Do the monitoring rules map to the inherent fraud risks identified within the
firm's risk assessment?

Does the firm have sufficient monitoring in place to protect its vulnerable
customers who may be especially susceptible to fraud?

Does the firm monitor both incoming and outgoing transactions for fraud risks?

Does the firm monitor for behavioural changes alongside suspicious activity
relating to transactions?

5
 9 Investigations and reimbursement
Yes No

Does the firm have a procedure in place to issue reimbursements within five
business days?

Is there a clear SLA for fraud investigations and is this tracked appropriately?

Is there a process in place to ‘stop the clock’ to allow for investigations (up to a
maximum of 35 days)?

Does the firm have a process in place to request timely information from
customers when investigating APP fraud claims?

10 Reporting and Information Sharing

Yes No

Does the firm have an internal and external reporting process in place for the
fraudulent activity that has been identified?

Are fraud reports being actioned within a reasonable timeframe by the relevant
team / members of staff?

Does the firm have an internal referral process to investigate egregious

fraudulent activity for potential money laundering?

Are customers who are deemed to have committed an act of fraud added to
industry information sharing bodies, such as CIFAS where applicable?

Does the firm maintain an internal list of customers previously rejected at

onboarding or offboarded due to reasons relating to fraud to ensure that these
customers would not be able to re-apply?

Does the firm engage with external bodies such as CIFAS, UK Finance, the
National Economic Crime Centre (NECC) or the Fintech Fincrime Exchange
(FFE) for intelligence and data sharing purposes to help identify and mitigate
fraud risk?

Is it clear to customers on the firm's website where to report fraud or what

action to take if the fraud occurs outside the firm's standard operating hours?

Does the firm inform customers that there is a ‘prompt reporting requirement’
which requires consumers to report fraud no more than 13 months after the
transaction has taken place in order to be eligible for reimbursement?

Does the firm have in place a consent agreement with its customers on
reporting details of APP scams to the police following a claim?

6
 11 Training and Customer Awareness
Yes No

As part of the anti-financial crime training provided to staff members, are the
risks and an awareness of fraud covered?

Does the firm provide additional fraud-focused training to staff members

involved in fraud investigations?

Does the firm provide sufficient customer education relating to fraud

prevention?

Does the firm inform customers on fraud risks, including the latest techniques
used by fraudsters and top tips for staying safe?

Does the firm challenge customers when required, upon identifying potential
fraudulent activity when processing payments?

Has the firm issued warnings and advice via traditional mediums and social
media channels?

Does the firm have in place appropriate prompts when a customer makes a
payment, such as confirming details of payments to new beneficiaries?

12 Assurance and Audit

Yes No

Is the firm’s assurance process able to measure the impact of its fraud strategy?

Does the firm regularly review and test its fraud prevention systems and
controls to ensure that they are effective?

Does the firm conduct periodic analysis of parameters applied to fraud

prevention systems and controls? Are these being regularly updated in
response to experience and the impacts this has had on detection and
prevention rates?

Does the financial crime annual audit undertaken by the firm also cover fraud?

We have in-depth experience supporting businesses manage their

fraud risk. We can assist you with completing fraud risk assessments,
performing fraud control assurance reviews and implementation of
fraud controls.

7
 13 Horizon Scanning
Yes No

Does the firm use horizon scanning to inform its approach to evolving fraud
threats?

Has the firm assessed whether the new failure to prevent fraud offence will
apply to it? (The offence applies to all large bodies, corporate and partnerships
in all sectors, that meet the two out of three of the following criteria: > 250
employees, > £36 million turnover, > £18 million in total assets)

Case study: Reducing exposure to APP fraud

Context:
Fintrail was engaged by a business banking firm providing current accounts and invoice and book-keeping
services to perform a review of its existing transaction monitoring capabilities, customer risk assessment, and
risk scoring methodology to identify gaps and opportunities for improvement to reduce APP fraud exposure.

Solution:
FINTRAIL held a series of workshops with the client to understand the key fraud risks the firm was exposed
to along with understanding its existing fraud-related controls and transaction monitoring rule set. This also
included a review of the firm’s fraud risk management documentation including its firm-wide risk assessment
and CRA methodology. The last 12 months of suspicious activity reports and fraud reports were also reviewed
in order to identify transactional patterns and customer profiles linked to suspected and/or confirmed fraud.
Findings from these reviews supported further enhancements to the transaction monitoring rule set and CRA
methodology.

Our report identified a series of findings and provided multiple recommendations to enhance the control
framework to reduce APP fraud risk.. The report also detailed a list of general transaction monitoring rules the
firm should consider implementing.

Outcomes:
• The client gained an understanding of the effectiveness of its current framework in relation to its APP fraud
exposure and the current risks and gaps ahead of the new APP reimbursement scheme changes in the UK.
• The client was provided with a detailed action plan translating the recommendations outlined in the
report into actionable tasks. The action plan supported the client in managing its implementation of
recommendations based on the priorities agreed.

8
 James Nurse
Managing Director
How FINTRAIL can help [email protected]

At FINTRAIL we are passionate about combating James leads FINTRAIL’s consulting team
financial crime. Our unique team of experts is and oversees our execution of client projects
drawn from the industries we support and has deep globally. James has significant experience
hands-on experience in developing and deploying developing forward thinking, technology
risk management controls from leadership roles centric operating models. James has worked on
with leading banks, FinTechs, and other financial a number of FINTRAIL’s fraud engagements
institutions. over the past 6 years.

We have extensive experience assisting financial Before joining FINTRAIL James held a Group
services businesses with audits and fraud assurance Financial Crime and Fraud position for a large
processes. We have a proven track record of FX business and previous to that was the Head
identifying areas where clients can enhance their of Fraud for a small payments firm.
compliance and make their programmes more
effective.

Our approach is tailored to the unique circumstances

of each client, is regulatory and
technology driven, and is focused on providing
excellent customer outcomes. We offer our clients
pragmatic solutions to the most complex challenges
and our goal is to ensure our clients can thrive, free
from the negative impacts of financial crime.

To find out more about how we can support your

audit and associated fraud controls, get in touch with
our team at [email protected]

We are a consultancy with expertise in using financial and regulatory

technology to combat financial crime.