Financial crime risk management

Barclays adopts an integrated approach to financial crime risk management. In line with the five-step risk management model, Group Financial Crime Management (GFCM) has the responsibility to direct, assess, control, report and manage/challenge financial crime risks, which are structured into three strands: anti-money laundering (AML) and sanctions; fraud; and security.

Each business unit within Barclays develops its own capability to tackle financial crime, providing regular reporting on performance, incidents and the latest trends impacting business. This integrated model allows us to:

– Develop a clear profile of financial crime risk across the Group.

– Share intelligence, adopt common standards and respond promptly to emerging issues.

– Drive forward law enforcement and other Government initiatives.

– Benchmark ourselves against other financial institutions facing similar challenges.

Anti-money laundering and sanctions risk

The Group assesses the implications of all emerging legal and regulatory requirements that impact it and establishes policies and procedures in respect of AML, terrorist financing and sanctions, updating these regularly.

It operates an AML assurance programme to ensure a system of effective controls to comply with the overarching policies, providing technical guidance and support to each business unit.

GFCM collates and oversees the preparation of Group-wide management information on AML and sanctions. This information includes risk indicators, such as volumes of suspicious activity reports (SARs) and is supplemented by trend analysis, which highlights high-risk or emerging issues so that prompt action can be taken to address them.

Three committees (the Sanctions Cross Cluster Operational Review Board, the AML Steering Committee and the Policy Review Forum) review business performance, share intelligence, develop and agree controls, and discuss emerging themes and the implementation status of policies and procedures.

All businesses contribute towards the Group Money Laundering Reporting Officers Annual Report, which is provided to Group Senior Executive Management and is available to the FSA. Together with regular management information and conformance testing, this report updates senior management with evidence that the Group’s money laundering and terrorist financing risks are being appropriately, proportionally and effectively managed.

During 2007, the Group augmented its AML capability, implementing third EU money laundering directive, with its guiding principle of a risk-based approach. For AML, this must be proportionate to the perceived risks and threats, including terrorist financing.

A new Group AML Policy, launched in December 2007 and encapsulating the risk-based approach, has further improved the Group’s customer due diligence procedures and standards, transaction monitoring and staff training and awareness.

The Group also implemented EU Regulation 1781/2006, which aims to ensure thorough and robust audit trails concerning electronic transfers. This assists the Group in monitoring its AML and terrorist financing and improves the information available to law enforcement authorities.

Barclays continues to upgrade its sanctions screening capabilities, in line with best international practice and changing regulatory requirements. The Group has invested substantial resources to further enhance its monitoring capabilities in this area and will continue to do so.

In 2008, the Group will review procedures to ensure compliance with forthcoming legislation concerning the Single European Payments Area (SEPA). Should the US enact current draft legislation outlawing the use of the international payments and clearing systems for perceived illegal US internet gaming transactions, further enhancements to payments activity monitoring will follow.

Fraud risk

The Group establishes and operates a fraud risk control framework which measures overall fraud risk exposure and controls. Together with Group-wide policies, this directs how fraud is managed.

The Group Financial Crime Management team (GFCM) is responsible for delivering the overall fraud strategy and providing oversight to Group and Business Units in order to manage fraud risk. The strategy is designed to:

• – Identify emerging threats in order that effective controls are embedded across the Group and build up capability to manage risk.
• – Identify and manage fraud incidents, ensuring regulatory and legal conformance, appropriate escalation and control issues are addressed to prevent further loss.
• – Work proactively to highlight areas of concern in order that remediation can take place.

GFCM assesses the fraud risk of existing and emerging products, services, processes and jurisdictions to drive down fraud losses as turnover/growth increases. It also represents Barclays at trade, industry and Government bodies providing a conduit to maximise the flow of information and intelligence. GFCM also provides technical expertise to business areas whether to drive through Group solutions or provide assistance with specific incidents and investigations.

Business Units, together with product holders and channels identify their appetite for fraud loss which informs and determines the overall fraud plan. Objectives are then set around these plans.

At a business level, fraud risk/loss committees track fraud (and in some cases operational) loss. The Barclays Group Fraud Risk profile is exercised regularly through the review and challenge of the net losses and key risk metrics; these are then viewed against the overall Fraud Risk Profile (Fraud Oversight Committee).

Fraud is reported monthly to senior management both within the Business Units and to Group who provide a global oversight of fraud loss. Fraud is measured against plan for both net and gross losses and in line with the Principal Risk Policy; Key Risk Indicators (KRIs) are embedded in order that overall exposure can be established.

As a result of this process, fraud performance both at Business Unit and Group level can be measured and appropriate action taken to minimise or track significant issues.

Externally there are ‘in country’ industry-wide forums to which Barclays contributes and in some cases can benchmark performance, controls and current and emerging issues.

Barclays overall reported fraud losses fell in 2007, with most of the reduction coming from significant falls in internet banking fraud. As part of its efforts to enhance security, Barclays offers all its personal customers complimentary internet security software to reduce phishing attacks. The Group has also rolled out two-factor authentication technology using the new PINsentry device to make online transactions more secure. Enhanced transaction profiling has further improved our ability to identify where customer accounts have been targeted by fraudsters and take preventative action to protect funds.

Following the loss of personal data, including bank details, by both Government agencies and other third parties, data protection and security was a prominent theme in 2007. Barclays treats any incident of this nature with the utmost importance and has worked closely with industry and the Government to take steps to:

• – Reassure customers and provide points of contact for help and guidance.
• – Protect any customer accounts, whose details may have been compromised.
• – Develop a standard approach for dealing with accounts that may be impacted by data security breaches.

Security risk

Group Financial Crime Management (GFCM) also manages security risk. Its fundamental objective is to allow Barclays to operate in a safe and secure manner in all existing and potential future markets.

In pursuit of this objective, the Security Risk team gathers and shares current threat assessments across business areas, using intelligence from Security and Government Agencies and ‘in country’ teams. It ensures that suitable policies and control systems are in place to protect Group business and that plans to protect high-risk personnel are fit for purpose and in line with accepted best practice.

Barclays has developed and continues to improve a robust people screening process to protect the bank from those people who want to harm the organisation, by either joining as staff members or becoming involved with its operations.

Security Risk is regularly reported by the businesses and reviewed via the Security Risk Management Committee, whose objectives are to:

• – Consider the latest management information and security threat assessments.
• – Drive forward mitigating action to protect the Group from potential threats.
• – Provide guidance to the design and effectiveness of the overall Barclays Security Risk framework.
• – Ensure all Security Risk workstreams have been effectively integrated and implemented.
• – Monitor corporate security profiles against the agreed plan, tracking issues in order that remedial action can be taken.