The establishment and re-assessment of financial crime frameworks and the mitigation of financial crime risk have been at the forefront of numerous discussions taking place not only in Malta, but also worldwide. The recent increase in regulatory pressure, the imposition of more burdensome penalties and the increased sophistication surrounding the manner in which financial crime is being carried out has undoubtedly instilled greater awareness vis-à-vis the need to have more robust financial crime frameworks in place.

What is financial crime?

Simply put, financial crime is a crime against property which involves the illicit conversion of ownership of property for one’s individual use and benefit. Although there exists no universally accepted definition, the term is now becoming part of the lexicon of the financial services industry, and therefore needs to be properly understood. One may describe financial crime as: “any non-violent crime that generally results in a financial loss” and usually involves “fraud or dishonesty, misconduct in, or misuse of information”.

What is a financial crime framework?

The term “financial crime framework” refers to a clearly documented framework against which the organisation shall sustain uniformity when managing financial crime risk. The aim of a financial crime framework is two-fold;

  • to provide transparency and give insight to the organisation vis-à-vis the various ways financial crime related risk may be manifested; and
  • to provide mechanisms which the organisation must adopt to prevent, detect and deter such risks which may arise.

Needless to say, an effective and efficient financial crime framework would therefore not only highlight the potential risks to which the organisation may be exposed, but would also include several policies, procedures and controls by which the organisation (and its employees) must abide to mitigate such risks.

Each organisation must have its own framework drawn up to cater for its specific line of business; this is generally done after having taken into consideration a number of elements. Evidently, establishing a financial crime framework is not a “copy-paste” exercise and there is no one standard document which companies must adopt.

In practice, prior to compiling a financial crime framework the organisation must first understand;

  • the risk appetite of the organisation; and
  • the risk to which the organisation is exposed to.

The above is normally determined through a business risk assessment of the organisation (this would take into account potential risks that may arise in terms of its clients, geographic locations, interface, products and services).

Establishing a financial crime framework

Typically, an effective financial crime framework would cater for the following:

Awareness: A clear description of the risk appetite of the organisation as well as the potential risks to which the organisation may be exposed is essential. It is imperative that the risk appetite of the organisation is documented, maintained and communicated in a clear, easily understood manner.

Internal Direction: This is crucial to ensure proper and effective implementation of the financial crime framework as a whole and would generally include the following:

  • Procedures to ensure that threats related to financial crime are prevented and/or detected in their early stages;
  • Procedures clearly stipulating the roles and responsibilities of all employees;and
  • Procedures setting out the manner in which appropriate and corrective action may be taken.

The framework should also stipulate the manner in which the organisation shall effectively respond and investigate such risks. This final step is crucial to determine how the identified risks are handled and resolved and would generally include protocols for the escalation and reporting of concerns and suspicion.

The outcome and level of detail entered into will vary depending on the nature, size and complexity of the business. On an ongoing basis, a review of the effectiveness of the already established financial crime framework will need to be undertaken. The financial crime framework will need to be updated on a periodic and if there is a change in (i) the risk to which the organisation is exposed, or (ii) the risk appetite of the organisation. The framework shall at all times remain relevant to the assessed risk faced by the organisation.

Drawing up a financial crime framework: what to include and questions to ask

A holistic financial crime framework is the cornerstone to effective financial crime prevention. Primarily, when compiling such framework, one would need to consider all types of financial crime to which their business is / may be vulnerable. Inter alia these may include, market abuse, fraud, money laundering, terrorist financing, sanctions, cybercrime, bribery and corruption etc.

As detailed above, a financial crime framework is organisation specific, however, the thought process behind its completion would generally stem from more-or-less the same questions. Although not exhaustive, these may include the following:

  • What are the main financial crime risks that the business is exposed to?
  • How are new or emerging financial crime risks identified?
  • How are financial crime risks assessed, considered, escalated and recorded?
  • How often will reviews be carried out and what might trigger such review?
  • What control mechanisms need to be in place to effectively deal with such risks?
  • How will any gaps in control mechanisms be identified?

Financial Crime Frameworks are not static and need to be revised/reviewed on an ongoing basis thereby ensuring the controls implemented remain relevant and adequate. Organisations should therefore:

  • Regularly ensure that all financial crime risks have been addressed / those addressed are still relevant;
  • Carry out regular revisions (or as often as necessary) to the financial crime framework;
  • Remain aware of external changes, as internal changes (e.g. changes in the jurisdiction in which the business operates, operational activities).


Ultimately, in order to effectively put all of the above into practice, any organisation must ensure that it has sufficient and effective resources and systems in place to successfully carry out its obligations. For a financial crime framework to be effective it is necessary that this is integrated into the business and not simply seen as an “add on”. In order for the latter to be possible, all staff must be given sufficient training so as to understand what they need to be aware of / on the “look-out” for and notably, how to implement the said framework.

A robust financial crime framework will not only prevent shortcomings from arising but will also place the organisation in a better position to identify certain issues before they actually become a concern. Naturally, this will lead to a more effective compliance solution.