ECSH32910 - Results from initial contact/review of documents

Having asked the business what their business activities are and how their business is organised, you need to establish how these work, in theory and in reality.  

Consider the below to help you plan your next steps: 

• who might you need to speak to at the compliance check? Directors, managers, staff, internal auditors 

• consider whether the business requires supervision, whether the activities are in scope or potentially out of scope [Link to ECSH 50000 Business sectors supervised by HMRC] 

• review whether the business model the trader has told you about appears to be the same as what you’ve established from the initial review. If not, has the business changed direction? Do the application details need updating? 

• Results from risk assessment, and policies, controls and procedures review 

• do they have a risk assessment (RA), and policies, controls and procedures (PCP)which set out how the business mitigates and manages the risks of money laundering, terrorist and proliferation financingin writing?See ECSH 33205 Checking risk assessment and management for more details. 

• and for Money Service Businesses (MSB) Money Transmitters, policies, controls and procedures for complying with the Funds Transfer Regulations and the requirements of Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfer of funds? 

• if the business has written RA and PCP documents, are they consistent with the business model and take into account all relevant factors? 

• do the length and complexity of the documents seem proportionate to the size and nature of the business based on results of your initial review? 

• do they meet the criteria in MLR 2017 Regulation 18/18A/19/19A? ECSH63360 - Risk assessment and controls: contents

• are there any processes you can’tunderstand or follow, that require explaining? 

• does the risk assessmenttake account of the National Risk Assessment (NRA) and information produced by HMRC or other relevant sources? Including “understanding risks and taking action” document for the relevant sector/s, found on Money Laundering Regulations

• do the documentsappear to be written by the business, or a third party, or a downloaded template? 

• do the documentsappear to bespecificto the business, or generic? 

• do the procedures effectively mitigate the risks identified in the risk assessment?  

• what follow up questions do you have, based on the documents? 

• do the documents refer to other documents you’ve not had sight of, such as a client risk assessment? 

At this point, consider doing ‘gap analysis’ to establish what you know and what do you still need to find out? See an example below.

What is known? What is not known? Consistencies Conflicts 

Who?

What?

Where?

Why?

When?

How?