ECSH32575 - Checking compliance under the risk based approach

Following on from guidance on risk-based approach (RBA),when conducting compliance checks, you must ensure that both the business and HMRC follows a RBA; that is, focusing resources where the risk is highest.

HMRC follows the principles of good regulation in the regulators code, which includes basing regulatory activities on risk.

Regulation 46(2) of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) also sets out that a supervisory authority must:

  • adopt a RBA to the exercise of its supervisory functions, informed by the risk assessments carried out by the authority under regulation 17 of MLR 2017. These are the published sector specific “understanding risk and taking action” published on GOV.UK
  • ensure that its employees have access to relevant information on the domestic and international risks of money laundering and terrorist financing which affect its own sector 

    (This content has been withheld because of exemptions in the Freedom of Information Act 2000)

  • base the frequency and intensity of its on-site and off-site supervision on the risk profiles prepared under regulation 17(4) of MLR 2017;
  • keep a record in writing of the actions it has taken in the course of its supervision, and of its reasons for deciding not to act in a particular case. (This content has been withheld because of exemptions in the Freedom of Information Act 2000)
  • take effective measures to encourage its own sector to report actual or potential breaches of MLR 2017 to it, for example by allowing reductions to financial penalties where a breach is “unprompted
  • provide one or more secure communication channels for persons to report actual or potential breaches of MLR 2017 to it, for example using the contact us guidance
  • take reasonable measures to ensure that the identity of the reporting person is known only to the supervisory authority (the confidentiality of information in the “contact us” link above)

Regulation 46(4) of MLR 2017 sets out that:

"In accordance with its risk-based approach, the supervisory authority must take appropriate measures to review—

(a) the risk assessments carried out by relevant persons under regulation 18;

(b) the adequacy of the policies, controls and procedures adopted by relevant persons under regulation 19 to 21 and 24, and the way in which those policies, controls and procedures have been implemented".

Therefore, you must recognise that businesses will do things differently and take into account of the degree of discretion allowed (regulation 46(3)) when testing a business’s compliance with MLR 2017.

 

Compliance interventions

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)

  • decide how to address the risks and plan the intervention effectively
  • check that the information held on the HMRC register is correct and that the business registered at the correct time 
  • check that beneficial owners, officers, and managers (BOOMs) of money service businesses (MSBs) and trust or company service providers (TCSPs) are fit and proper
  • check BOOMs of art market participants (AMPs), accountancy service providers (ASPs), estate agency businesses (EABs), high value dealers (HVDs), and lettings agency businesses (LABs) have undergone the approvals check
  • consider the money laundering, terrorist, and proliferation financing (ML/TF/PF) risks within a business
  • ensure a business’s anti-money laundering, counter terrorist, and proliferation financing (AML/CTF/CPF) policies, controls, and procedures (PCPs) are appropriate to the risk
  • test transactions and review customer files to check if appropriate measures for customer due diligence, ongoing monitoring and suspicious activity reporting have been followed in accordance with PCPs
  • check that the business is aware of simplified due diligence procedures where appropriate
  • accurately and securely record and retain information obtained
  • evaluate your findings to ensure all risks have been appropriately addressed
  • answer any questions the business may have on its legal obligations under anti-money laundering legislation
  • clearly explain any areas of concern and agree action that the business needs to take

 

Purpose of compliance activity and your obligations

You must remember that the purpose of your activity is to make sure businesses are complying with MLR 2017, Part 3 of the Terrorism Act 2000 (TACT) and Parts 7 and 8 of the Proceeds of Crime Act 2002 (POCA). Compliance activity must not be undertaken for any other purpose, and you must ensure that any information obtained during a compliance check is reasonably required for our supervisory function.

If, while carrying out your duties, you know or suspect that a business is or has engaged in money laundering or terrorist financing, you must complete a suspicious activity report (SAR), which is sent to the National Crime Agency (NCA) via your team’s single point of contact (SPOC). You may also identify other risks which are not related to compliance with MLR 2017, for example tax evasion. This information does not need to be notified to the NCA but should be referred to an appropriate team using an intelligence report. You can find more information in the Referrals section of the Handbook.

You should never leave a risk unaddressed. If you are unsure of how to deal with a risk, speak to your manager.