ECSH33210 - Establishing policies, controls and procedures
Introduction
The policies, controls and procedures are required by regulation 19 (to mitigate and manage money laundering and terrorist financing risk) and 19A (in relation to proliferation financing) of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations (MLR 2017). You must ensure you are familiar with the requirements of these regulations
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
When preparing for a compliance check, you would usually request a copy of the business’s anti-money laundering, counter terrorist financing and proliferation financing (AML/CTF/CPF) policies, controls and procedures documents to review in advance. For the purposes of this guidance, the AML/CTF/CPF policies, controls and procedures documents will be referred to as the policies, controls and procedures (PCPs).
You should also refer back to the PCPs at various stages throughout your compliance check. For example, you should do this:
during and after your interview with the business to ensure what was said corresponds with the written PCPs
after you’ve reviewed the client list or transaction list to ensure that the business has appropriately put PCPs in place to mitigate and manage the risks it is subject to
after you’ve conducted records testing
Remember, the PCPs may be recorded in different ways across the business as detailed below.
What are policies?
Policies are usually high-level and willlikely detail the business’s approach to preventing money laundering, terrorist financing and proliferation financing (ML/TF/PF), including named individuals and their roles and responsibilities.
What are controls?
Controls may be built into operating systems (for example a till alert at a high value dealer or thresholds built into a money service business’s IT system). Staff may not be aware of how the controls work; you therefore may need to speak to a software engineer or a business’s IT department. There are experts within HMRC who can help you – see ECSH 32928 Data handler.
What are procedures?
Procedures are the actions staff take when processing transactions and taking on new clients. There may be lots of procedures but not all will be for anti-money laundering purposes. Staff must understand why they need to perform a certain action or obtain approval before continuing with a course of action.
Procedures may be recorded electronically or in paper format, for example, in help cards and prompts. You must ensure you have considered all of these, not just documents headed up as the anti-money laundering procedures.
Requesting the policies, controls and procedures
Depending on the circumstances of your case, you may have requested a copy of the PCPs:
- during your initial contact with the business alongside other documents for a compliance check – see ECSH 32820 What to establish
- when determining an application for registration for anti-money laundering supervision for money service businesses (MSBs) and trust or company service providers (TCSPs). In this case, the PCPs may be requested by letter - see ECSH 45815 The fit and proper test – RA and PCP inspection
You should be aware that requesting the PCPs prior to the compliance check may not apply in certain circumstances, such as an unannounced or branch/agent visit.
You must consider:
- the format of the documents and how the business will provide them to you (post, email or by Dropbox)
- the time frame for providing the documents
- the relevant period that the documents cover
More information on requesting the PCPs can be found at ECSH 32825.
You must ask for the most up to date document and the relevant period that the PCPs cover. It is important that you obtain a copy of any previous PCPs which were in place during the relevant period you select for your compliance check. For more information on the relevant period, see ECSH 32825. You may need to ask further questions to establish when the PCPs were created and updated by the business.
If a business provides you with updated PCPs during your intervention, you can acknowledge any improvements made, however, you must carry out records testing against the procedures in place when a transaction was carried out or business relationship established.
What to do if the business does not send you the policies, controls and procedures
If the business does not send the policies, controls and procedures, you should follow the guidance titled “What to do if the business does not send you the information requested” at ECSH 32825.
What to do if the business confirms there are no policies, controls and procedures in writing
When requesting the written PCPs, the business may say that it does not have its PCPs in writing. You may need to explain what is meant by PCPs and check that the business understands your request. You should also check whether it is included in any other business documents - more guidance can be found at ECSH 32825.
If the business confirms that it does not have PCPs in writing, you should tell the business that this is a breach of regulation 19(1)(c) and 19A(1)(c) of MLR 2017, and they need to correct the breach as soon as possible.
You must direct the business to guidance available on GOV.UK, and other help and support available.
You should note that a business may have PCPs in practice but failed to record them in writing. You must confirm this with the business as soon as possible, leaving no ambiguity, as there are distinct breaches of the subsections of regulation 19 you must establish –
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
You will need to confirm the business’s PCPs mitigate the ML/TF/PF risks it faces through thorough questioning.
Reviewing the policies, controls and procedures in writing
Your review of the PCPs is to ensure the business can demonstrate it will comply under regulation 59(1)(e).
Once you have received a copy of the business’s PCPs, you must set aside time to review them in detail. You should review them in line with:
- all parts of regulation 19 and 19A of MLR 2017
- all parts of regulation 20 of MLR 2017 where applicable
- the technical guidance -
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
- what you know about the business (such as its activities, size, and structure) from your initial review - see [link to ECSH 32700 Initial review]
- the results of your initial contact - see [link to ECSH 32910 Results from initial contact and review of documents], and
- the sector specific risks – see [link to ECSH 32930 Sector specific risks]
Remember that the business must use its risk assessment to design and put in place PCPs to manage and reduce the impact of any risks identified and assessed. It's important that you don't review the PCPs in isolation.
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
Templates and third-party providers
For information on templates and third-party providers, see the guidance titled “Templates and third-party providers” within ECSH33205 Checking risk assessment and management.
Results from initial review
After your initial review of the PCPs, you must consider your findings. Some questions to consider are covered in ECSH32910 Results from initial contact and review of documents.
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
Also remember, if a business has not established and maintained PCPs because it has failed to assess a risk, the breach will be under regulation 18(1) [link to ECSH 33205].
Who is responsible for the policies, controls and procedures?
It’s important to note that the business is responsible for the PCPs even if they have been provided by an independent adviser.
Similarly, a franchisor may have provided PCPs to its franchisees. However, franchisees that are independently registered for anti-money laundering supervision, must ensure they comply with the requirements of MLR 2017 and other legal and regulatory requirements .
For principal and agent relationships, most commonly seen in money service businesses, you must read the guidance in [link to ECSH 51080 Principal/Agents Networks].
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)