CISI Combating Financial Crime study guide for adequate procedures and penalties, with learning objectives, UK control cues, and exam traps.
Adequate procedures and penalties belongs to the CISI Combating Financial Crime Bribery and Corruption exam topic, weighted at 6%. Study it as a UK financial-crime control lesson: the paper usually asks whether you can classify the risk, place the right authority or obligation, and choose the next defensible control, escalation, or reporting step.
| Concept | What to know for CISI CFC review |
|---|---|
| Adequate procedures | A commercial organization can defend a failure-to-prevent bribery allegation by showing it had procedures designed to prevent bribery by associated persons. |
| Proportionate procedures | Controls should match the firm’s bribery risks, business model, jurisdictions, products, and third-party footprint. |
| Top-level commitment | Senior management must set, evidence, and enforce the anti-bribery culture rather than delegating the issue away. |
| Due diligence | The firm should understand higher-risk employees, agents, introducers, suppliers, joint ventures, and acquisition targets. |
| Monitoring and review | Procedures must be tested and updated; a static policy is weak evidence of control effectiveness. |
The adequate-procedures defence is not just a list of policy headings. It asks whether the organization genuinely designed and operated a risk-based anti-bribery programme. CISI questions often test which weakness undermines the defence: no senior commitment, no risk assessment, superficial due diligence, untrained staff, no approvals, or no monitoring.
| Principle | What good evidence looks like |
|---|---|
| Proportionate procedures | Controls tailored to gifts, hospitality, donations, procurement, public officials, agents, and higher-risk jurisdictions. |
| Top-level commitment | Board or senior-management communications, approvals, challenge, resources, and disciplinary follow-through. |
| Risk assessment | Documented bribery-risk assessment by country, sector, transaction type, product, channel, and third-party role. |
| Due diligence | Risk-based review of associated persons before appointment and during the relationship. |
| Communication and training | Targeted training, accessible policies, attestations, and clear escalation routes. |
| Monitoring and review | Testing, audit findings, red-flag reports, policy updates, and remediation evidence. |
Adequate procedures are not judged only by whether a document exists. The firm must be able to show that its procedures were designed for its bribery risk and operated in practice. A policy that does not reach sales teams, procurement staff, finance approvers, relationship managers, or third-party owners is weak evidence.
| Question | What a stronger answer looks for |
|---|---|
| Was the procedure risk-based? | controls reflect countries, sectors, public-sector exposure, products, and third parties |
| Was there senior ownership? | board or senior management reviewed risk, approved resources, and acted on red flags |
| Were associated persons covered? | agents, introducers, consultants, distributors, subsidiaries, and JV partners were assessed |
| Were controls applied before risk crystallized? | due diligence and approvals happened before appointment, payment, or contract award |
| Were exceptions escalated? | red flags were routed to compliance, legal, or senior anti-bribery owners |
| Was the framework tested? | monitoring, audit, quality review, and remediation showed operating effectiveness |
The exam trap is to treat adequate procedures as a slogan. The safer response asks what the organization can evidence at the time of the risk, not what it created after an investigation began.
| Principle | Evidence that helps | Weak evidence |
|---|---|---|
| proportionality | risk-tiered approvals, higher controls for public-sector and third-party cases | same checklist for every relationship |
| top-level commitment | senior challenge, resources, disciplinary action, and management information | one annual message with no follow-through |
| risk assessment | documented country, sector, transaction, and third-party risk review | risk assessment copied from another firm |
| due diligence | ownership, reputation, services rationale, fee review, and renewal checks | contract signed before review |
| communication and training | role-specific training, attestations, escalation testing | generic e-learning with no relevance to job role |
| monitoring and review | audit tests, exception reports, red-flag trends, remediation tracking | issues logged but not fixed |
This evidence map is useful because scenario questions often give one missing element. If the stem says a policy exists but fees were never reviewed, the weak point is due diligence and payment control. If the stem says audit findings were ignored, the weak point is monitoring and review.
An associated person is a common exam trigger. The point is not limited to employees. A person or entity performing services for or on behalf of the organization can create failure-to-prevent risk, depending on the facts. That makes third-party due diligence central to adequate procedures.
Good due diligence should test:
The fact that a person is labelled as an “independent consultant” or “overseas agent” does not end the analysis. The exam asks whether the person is performing services for or on behalf of the organization and whether the payment or conduct is intended to obtain or retain business or a business advantage.
| Associated-person clue | Why it matters |
|---|---|
| agent is paid only if a public contract is won | fee may be tied to influencing a decision |
| consultant has no clear technical role | services rationale may be weak or fabricated |
| distributor handles public-sector introductions | public-official and procurement risk may be indirect |
| joint-venture partner controls local payments | firm may not see onward payments without oversight |
| subsidiary uses local intermediaries | group controls may need to cover local business practices |
| employee bypasses gifts or hospitality approval | internal associated-person conduct can undermine procedures |
The stronger answer normally withholds approval or payment until the firm has enough evidence of legitimate services, transparent ownership, proportionate fees, and defensible payment routes.
| File element | Why it matters |
|---|---|
| business rationale | explains why the third party is needed |
| ownership and control | identifies hidden officials, family links, PEPs, or conflicts |
| adverse media and enforcement checks | surfaces reputation and integrity concerns |
| service scope | defines what work will be performed and evidenced |
| fee benchmark | tests whether compensation is proportionate |
| payment-account verification | prevents value being routed to unrelated parties |
| anti-bribery contract clauses | creates audit, termination, compliance, and cooperation rights |
| approval record | shows who accepted the risk and on what evidence |
| ongoing monitoring | verifies invoices, deliverables, and new red flags after onboarding |
Due diligence is not a one-time onboarding ritual. If the third party later changes bank accounts, requests a new fee structure, adds a sub-agent, or moves into a public-sector contract, the firm may need to refresh review.
The exam may ask why a firm should treat anti-bribery controls as a serious governance topic. Consequences can include corporate fines, individual criminal liability, imprisonment for individuals, confiscation or recovery action, debarment from public contracts, civil litigation, regulatory consequences, loss of licences or mandates, reputational damage, and remediation costs.
The stronger answer often links penalty risk back to controls. A firm does not manage bribery risk by writing a policy once. It must evidence that procedures were proportionate, understood, applied, monitored, and improved.
Penalties are not only about the underlying bribe. They can also reflect the organization’s failure to prevent, detect, escalate, or remediate known risks. In exam scenarios, the penalty angle often appears through repeated red flags, ignored audit findings, weak senior oversight, or unsupported payments.
| Consequence | Exam relevance |
|---|---|
| corporate fine | failure-to-prevent or weak control evidence can expose the organization |
| individual liability | employees, managers, or third parties may face personal consequences |
| imprisonment | serious individual bribery offences can carry custodial risk |
| confiscation or recovery | benefits from bribery may be recovered or restrained |
| public-contract debarment | bribery can damage eligibility for government work |
| regulatory consequences | fitness, propriety, governance, and systems-and-controls issues may arise |
| civil litigation | counterparties, shareholders, or customers may claim loss |
| remediation costs | monitors, reviews, training, system changes, and investigations can be expensive |
| reputational damage | trust with clients, counterparties, regulators, and banks can be impaired |
The control lesson is that penalty exposure is reduced by prevention evidence before the event and remediation evidence after weaknesses are identified.
When bribery concerns arise, an adequate-procedures answer should not stop at “investigate.” The firm should also prevent recurrence and evidence remediation.
| Red flag | Remediation response |
|---|---|
| third-party file lacks ownership information | suspend approval and complete ownership/control review |
| success fee is unsupported | benchmark fee, require services evidence, and escalate |
| gifts register shows repeated public-official hospitality | review approvals, timing, recipients, and training |
| audit finds weak due diligence | assign owner, remediate files, and retest completion |
| staff do not know escalation route | deliver role-specific training and test understanding |
| payment account differs from contract | hold payment and verify recipient before release |
| senior manager ignored warnings | escalate governance failure and review accountability |
Strong answers also preserve evidence: contracts, invoices, bank details, approvals, emails, due-diligence notes, meeting records, gifts registers, and audit findings.
| Weak evidence | Stronger evidence |
|---|---|
| Generic anti-bribery policy copied from another business | Risk-based procedure tailored to the firm’s countries, services, and third parties |
| Annual training with no role specificity | Targeted training for sales, procurement, finance, relationship managers, and approvers |
| Third-party file with only a signed contract | Due diligence, ownership checks, services rationale, fee benchmark, approval, and review |
| No gifts or hospitality register review | Register monitoring for frequency, timing, recipient type, and approval breaches |
| Internal audit finding left open | Remediation owner, deadline, retesting, and senior-management visibility |
| Scenario cue | Better answer pattern |
|---|---|
| “we have a policy” but no due diligence | policy alone is weak; assess risk-based procedures and evidence |
| overseas agent pays alleged bribe | assess associated-person risk and adequate-procedures evidence |
| board never receives bribery MI | top-level commitment and governance evidence may be weak |
| public-sector hospitality is approved informally | gifts/hospitality controls and approval records are inadequate |
| audit identified issues last year | monitoring and remediation are weak if findings remain open |
| small firm has no tailored controls | proportionality does not mean no procedures |
| consultant refuses ownership disclosure | approval should pause pending due diligence and escalation |
| training is generic and not role-based | communication and training may not match actual risk |
A firm is investigated after an overseas introducer allegedly paid a bribe to help win business. The firm has a high-level anti-bribery policy but no documented third-party due diligence, no fee rationale, and no evidence of monitoring the introducer. Which point most weakens the firm’s adequate-procedures position?
A. A written policy exists, so no further evidence is relevant. B. The introducer was overseas, so UK anti-bribery controls are automatically irrelevant. C. The lack of risk-based third-party due diligence, fee review, and monitoring suggests the procedures may not have been adequate in practice. D. Only individual employees can create bribery risk for a commercial organization.
Answer: C. Adequate procedures require more than a generic policy. Third-party risk must be assessed, documented, approved, monitored, and reviewed in a way proportionate to the bribery risk.
For final review, memorize the adequate-procedures logic as evidence rather than slogan: senior commitment, risk assessment, due diligence, communication, training, monitoring, and remediation. In scenarios, ask which piece of evidence is missing or ineffective.
A useful revision grid is: associated person, business advantage, procedure principle, missing evidence, next control action. This converts broad legal language into the exact decision the exam usually tests.
Return to the CISI Combating Financial Crime guide for the full exam-topic table, or use the CFC Cheat Sheet for threat classification, UK authority cues, and final review prompts.