APPROVAL AND CONTROL

This Policy shall be deemed effective as of 06/02/2023. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.

This document shall be subject to periodic reviews in accordance with changes in:

• Local and international legislation.
• Industry best practice.
• Internal changes in the business that impact the products available and relevant revenue streams.

The Board review and approve all changes before they are implemented. Minor changes are reflected by incrementing the version number as 1.1, 1.2, 1.3, etc.

Where significant changes to the document are made, these are reflected in a new version number as 1.0, 2.0, 3.0, etc.

1. INTRODUCTION

SF Private Bank is operating at 83-85 Baker Street, Marylebone, London W1U 6AG.

This fraud policy sets out the responsibilities of SF Private Bank and its employees regarding observing and upholding a zero-tolerance position on internal and external fraud.

This policy is applicable to all financial service operations of SF Private Bank, and the responsibilities thereof.

Fraud is the use of deception for the intention of obtaining an advantage for the individual or for a third party or parties. This can often include avoiding an obligation, or causing loss to another party, both financial and/or material.

Regarding SF Private Bank’s obligations Fraud is not a specific offence specified by the relevant authorities. It is instead a catch-all term which includes:

• Forgery of documents.
• Deception.
• Prejudicing creditors.
• Tax fraud.
• Economic fraud.

Therefore, for the purposes of the policy, fraud includes, but is not limited to:

• Theft or misappropriation of assets owned or managed by SF Private Bank.
• The submission of, or receipt of a submission, involving false claims for payments or reimbursement.
• Blackmail or extortion by or against SF Private Bank employees.
• Off the books' accounting or knowingly creating and/or distributing false or misleading financial information.
• Violation of SF Private Bank’s procedures with the aim of personal gain or to the detriment of SF Private Bank.
• Wilful negligence, or deliberate acts intended to cause material damage to SF Private Bank.
• A dishonourable or reckless or deliberate act against the interests of SF Private Bank.
• Any irregularities, performed by SF Private Bank employees, which may include:
• Any purposeful administrative or financial mismanagement.
• Any misinformation or omission of information relating to a financial transaction.
• Any negligible act prejudicing the operations of SF Private Bank.

Fraud occurs where there is a lack of adequate controls applied to the internal prevention of fraud. Fraud events may also arise where there is a failure by SF Private Bank employees to observe the internal controls, act carelessly regarding the fulfilment of their responsibilities, or have inadequate permissions within their duties which puts them at risk of receiving or committing fraud.

To assist in identifying occurrences of Fraud, SF Private Bank has recognised four basic elements which are usually present when fraud occurs.

These are:

• Individual(s) inside or outside of SF Private Bank who are willing to commit fraud.
• Assets or funds that capable of being acquired, used, or disposed of in a fraudulent manner.
• There is an opportunity for intent, or a carelessness to controls, which allow the committing of fraud.
• There are no or inadequate controls in place which allow fraud to occur.

This policy is the guiding document for the prevention of fraud at SF Private Bank and will be reviewed as and when required due to the changes in the operational risk and best practices as appropriate.

2. Prevention and Approach

This policy sets out the procedures implemented by SSF Private Bank to mitigate the threat of fraud and the ways in which SF Private Bank responds to allegations of fraud. SF Private Bank understands that the delivery of financial services comes with it, the threat of fraud. Therefore, to effectively protect its customers and employees, SF Private Bank ensures all internal and external fraud risks are identified, and that appropriate controls are implemented.

Which means, all SF Private Bank employees are required to actively prevent fraud by meeting the following standards:

• Fraud of any kind will not be tolerated. Even if it is to the benefit of SF Private Bank.
• Employees who commit an act of fraud will be terminated, and/or reported to the authorities.
• Employees who commit an act of irregularity may be subject to disciplinary action, leading to termination if found necessary.
• All staff have an obligation to report suspected fraud or an act of irregularity to the MLRO.
• All implemented controls must be adhered to by all employees.

All SF Private Bank employees are required to minimise the occurrence and impact of fraud events. However, SF Private Bank recognises employee responsibility and ability to mitigate the risk of fraud cannot be achieved without support from SF Private Bank’s Senior Management.

Therefore, SF Private Bank’s Senior Management recognises the following responsibilities as outlined below:

• Establish a culture of anti-fraud within the business.
• Set the standards for risk avoidance and management.
• Ensure and practice transparency, openness, and accountability regarding fraud.
• Implement and review SF Private Bank’s anti-fraud procedures.
• Ensure employees have sufficient resources, to meet the responsibilities imposed upon them.
• Recruit employees, and/or onboard third-party service providers whose role is to monitor for fraud.

Internal fraud relates to fraud committed by individuals operating within SF Private Bank. For example, internal fraud may be employees accessing payment systems and instructing fraudulent transactions.

Internal Fraud may include, but is not limited to the following:

• Fraudulent payment documentation.
• Misuse of company issued payment instruments/cards.
• The claiming of false or inappropriate business expenses.
• The appropriation of internal funds and the releasing of those funds via fraudulent payments.
• The interception of SF Private Bank revenue, or the failure to declare/pass on revenue where obtained.
• Allowing unauthorised access to financial data.
• Unintentional and purposeful loss of business information.
• Any purposeful material damage inflicted against SF Private Bank which is misrepresented as accidental.

To mitigate such risks, all activities relating to financial operations and the movement of funds are verified by multiple authorised employees. A fraud preventative two-factor authentication is required before any payment system can be accessed and payments processed.

Additionally, all accounts are reconciled twice daily, at open and close of business. This process is to identify suspicious activity which may indicate the occurrence of fraud. Where suspicious activity is identified, an incident will be raised via the internal Suspicious Activity Reporting (SAR) procedure, the event investigated, and the relevant controls reviewed to suitability.

In relation to employees accessing and abusing sensitive customer or payment data for fraud purposes, access is granted to only those that need it in the fulfilment of their role within SF Private Bank. Access is determined based on a risk assessment and reviewed annually.

Data access and usage is reviewed constantly by SF Private Bank’s CTO to ensure that only authorized employees have accessed suitable data. Where unauthorized individuals have been found to have accessed sensitive payment data without the required authorisation, an incident will be raised, and the relevant controls reviewed.

External fraud relates to external individuals or organisations attempting to infiltrate SF Private Bank to obtain and abuse the products, services, and operational procedures available. SF Private Bank is aware such parties may also include employees of a third-party service provider partnered with SF Private Bank.

To prevent external access to information, systems and sensitive customer and payment data, all SF Private Bank access is controlled by procedures outlined by the latest SF Private Bank Information Security Policy, overseen by the ISO. Access to systems and underlying data is provided to only those to whom it is essential to their role within SF Private Bank, and even then, activity is monitored.

Technical systems are also protected and monitored for any potential hacks or compromise attempts. This is applied using appropriate third-party technology and encryption.

In instances where external individuals or organisations attempting to commit fraud by using stolen customer details, SF Private Bank provides a preventative mitigation by applying Customer Due Diligence (CDD) procedures, as outlined by the latest Anti-Money Laundering and Counter-Terrorist Financing Policy.

CDD controls are both preventative and detective in nature as they are implemented both before the start of any business relationship and procedurally throughout.

All customer accounts are monitored for fraudulent activity. Where suspicious activity is identified, the internal SAR process is followed, and an investigation undertaken. Customers are also able to report a fraudulent event by contacting SF Private Bank customer service, and employees are encouraged to take any motivation of fraud as high priority.

Employees that are informed of fraud via customer communication are to inform the MLRO immediately.

The effectiveness of security credentials for both customers and employees are assessed via the customer notifications and/or SARs raised. Investigations both into customer communications and SARs cause the relevant controls to be reviewed.

All suspected instances of fraud or irregularity must be reported to the MLRO. The MLRO is responsible for notifying Senior Management of fraud events. Where fraud events involve the MLRO then the MLROs responsibilities are delegated to a nominated Compliance Officer. Should Senior Management be implicated in fraudulent activities then the relevant law enforcement agencies shall be notified directly.

Where allegations or suspicions arise, the MLRO, with guidance from Senior Management where appropriate, determines the most appropriate and proportional course of action.

The following will be considered to determine the appropriate response to suspicions of fraud or irregularity:

• Law enforcement agencies may be contacted in instances where criminal charges may be warranted.
• Legal counsel involvement shall always be considered when dealing with suspicions of fraud.
• If specialist skills are required, external specialists should be consulted/acquired.
• A spokesperson regarding matters relating to the incident shall be designated.

Any individual(s) suspected of irregular and/or fraudulent activities should not be confronted prior to commencement of the investigation process. Records related to the activity may need to be seized before the suspected individual(s) becomes aware of any investigation.

If in the opinion of the investigating team fraud is probable, employees suspected of such irregularities and/or fraud will be suspended pending investigation. Employees suspected of irregular and/or fraudulent activities have legal rights that must be respected.

Details of the investigation must remain confidential to all but the MLRO, Senior Management and the Compliance team (were appropriate), legal counsel, and/or law enforcement agencies.

The MLRO will also review details of the operational weaknesses and ascertain why or if the fraud event was not prevented or detected promptly. The MLRO then provides recommendations for improving the controls to prevent or detect similar events.

SF Private Bank employees are encouraged to report any doubts to the MLRO or Senior Management regardless of whether the report turns out to be valid. If an employee is confused or has doubts when compiling a report, then they should contact the MLRO for guidance.

The controls outlined in this policy have been designed to prevent a fraud related issue from occurring. The MLRO submits a review of anti-fraud controls, procedures, policies, and culture within SF Private Bank.

On a monthly basis, SF Private Bank will collect the following information:

• Total value and volume of fraudulent payments processed via emoney.
• Total value and volume of fraudulent payments processed via bank transfer.
• Breakdown of fraud by type.
• Cost of fraud to SF Private Bank.

SF Private Bank will make use of reported incidents of fraud recorded in SARs to collate this data. Where there is fraud data to report, fraud data is added to a monthly Management Information pack, which is presented to the SF Private Bank Senior Management for review.

3. RECRUITMENT AND TRAINING

SF Private Bank is required to run due diligence checks on any prospective or existing employees. Understanding and knowing exactly who SF Private Bank is engaged with, and the nature of any business relationships (e.g., employees, suppliers, service providers etc), can help to protect SF Private Bank from taking on people who might be a risk to fraud events occurring.

SF Private Bank’s recruitment program is aimed at checking the background and references of all new and existing employees as well as ongoing criminal background, politically exposed persons (PEP), and sanction checks.

The level of due diligence will be proportionate to risks posed by the associated person and the nature of their relationship with SF Private Bank.

As part of undertaking due diligence on a potential employee SF Private Bank will Identify the potential employee and verify their identity.

• Conduct screening on the individual, including PEP, sanction, and adverse media screening.
• Identify the potential employee’s experience and skills.
• Assess the potential employee’s suitability for the service/activity they will be performing.
• Understand the activities the potential employee will be performing.
• Identify and disclose potential and actual conflicts of interest.
• Gain reasonable assurances about past conduct.
• Confirm the rationale for hiring the potential employee.

When assessing the risk posed by a potential employee, SF Private Bank considers the risk factors related to the:

• Contractual structure including compensation, and incentives.
• Activities/services the potential employee will undertake.
• Location/Geographies from where the potential employee will be operating.
• Potential employee’s integrity, reputation, and historic behaviour.

Fraud awareness training underpins fraud prevention and detection. SF Private Bank ensures that all employees are aware of their responsibilities for fraud control and ethical behaviour. Targeted training is provided for new employees, refresher training is given to current employees annually.

Training covers the following subject areas:

• SF Private Bank’s Fraud Policy.
• Definition of fraud.
• Employee responsibilities.
• Spotting indicators of fraudulent activity.
• Steps to taken if fraud is suspected.