ECSH33210 - Establishing policies, controls and procedures

Introduction

The policies, controls and procedures are required by regulation 19 (to mitigate and manage money laundering and terrorist financing risk) and 19A (in relation to proliferation financing) of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations (MLR 2017). You must ensure you are familiar with the requirements of these regulations by reading the technical guidance in ECSH63390 Regulation 19 – Policies, controls and procedures and ECSH 63395 Regulation 19A - Policies, controls and procedures in relation to proliferation financing.

When preparing for a compliance intervention, you would usually request a copy of the business’s anti-money laundering, counter terrorist financing and proliferation financing (AML/CTF/CPF) policies, controls and procedures documents to review in advance. For the purposes of this guidance, the AML/CTF/CPF policies, controls and procedures documents will be referred to as the policies, controls and procedures (PCPs).

You should also refer back to the PCPs at various stages throughout your compliance intervention. For example, you should do this:

  • During and after your interview with the business to ensure what was said corresponds with the written PCPs.
  • After you’ve reviewed the client list or transaction list to ensure that the business has appropriately put PCPs in place to mitigate and manage the risks it is subject to.
  • After you’ve conducted records testing.

Remember, the PCPs may be recorded in different ways across the business as detailed below.


What are policies?

Policies are usually high-level and will likely detail the business’s approach to preventing money laundering, terrorist financing and proliferation financing (ML/TF/PF), including named individuals and their roles and responsibilities.


What are controls?

Controls may be built into operating systems (for example a till alert at a high value dealer or thresholds built into a money service business’s IT system). Staff may not be aware of how the controls work; you therefore may need to speak to a software engineer or a business’s IT department. There are experts within HMRC who can help you – see  ECSH32928. 


What are procedures?

Procedures are the actions staff take when processing transactions and taking on new clients. There may be lots of procedures but not all will be for anti-money laundering purposes. Staff must understand why they need to perform a certain action or obtain approval before continuing with a course of action.

Procedures may be recorded electronically or in paper format, for example, in help cards and prompts. You must ensure you have considered all of these, not just documents headed up as the anti-money laundering procedures.


Requesting the policies, controls and procedures

Depending on the circumstances of your case, you may have requested a copy of the PCPs:

  • During your initial contact with the business alongside other documents for a compliance check – see ECSH32820.
  • When determining an application for registration for anti-money laundering supervision for money service businesses (MSBs) and trust or company service providers (TCSPs). In this case, the PCPs may be requested by letter -  see ECSH45815.

You should be aware that requesting the PCPs prior to the compliance check may not apply in certain circumstances, such as an unannounced or branch/agent visit.

You must consider:

  • The format of the documents and how the business will provide them to you (post, email or by Dropbox).
  • The time frame for providing the documents.
  • The relevant period that the documents cover.

More information on requesting the PCPs can be found at ECSH32825.

You must ask for the most up to date document and the relevant period that the PCPs cover. It is important that you obtain a copy of any previous PCPs which were in place during the relevant period you select for your compliance intervention. For more information on the relevant period, see ECSH32825. You may need to  ask further questions to establish when the PCPs were created and updated by the business.

If a business provides you with updated PCPs during your intervention, you can acknowledge any improvements made, however, you must carry out records testing against the procedures in place when a transaction was carried out or business relationship established.


What to do if the business does not send you the policies, controls and procedures

If the business does not send the policies, controls and procedures, you should follow the guidance titled “What to do if the business does not send you the information requested” at ECSH32825.


What to do if the business confirms there are no policies, controls and procedures in writing

When requesting the written PCPs, the business may say that it does not have its PCPs in writing. You may need to explain what is meant by PCPs and check that the business understands your request. You should also check whether it is included in any other business documents - more guidance can be found at ECSH32825.

If the business confirms that it does not have PCPs in writing, you should tell the business that this is a breach of regulation 19(1)(c) and 19A(1)(c) of MLR 2017, and they need to correct the breach as soon as possible.

You must direct the business to guidance available on GOV.UK, and other help and support available.

You should note that a business may have PCPs in practice but failed to record them in writing. You must confirm this with the business as soon as possible, leaving no ambiguity, as there are distinct breaches of the subsections of regulation 19 you must establish see “What to establish” in ECSH63390 for more information.

You will need to confirm the business’s PCPs mitigate the ML/TF/PF risks it faces through thorough questioning.


Reviewing the policies, controls and procedures in writing

Your review of the PCPs is to ensure the business can demonstrate it will comply under regulation 59(1)(e) MLR 2017.

Once you have received a copy of the business’s PCPs, you must set aside time to review them in detail. You should review them in line with:

  • All parts of regulation 19 and 19A MLR 2017.
  • All parts of regulation 20 of MLR 2017 where applicable.
  • The technical guidance
    see ECSH63390 and ECSH63395.
  • What you know about the business (such as its activities, size, and structure) from your initial review.
  • The results of your initial contact.
  • The sector specific risks.

Remember that the business must use its risk assessment to design and put in place PCPs to manage and reduce the impact of any risks identified and assessed. It's important that you don't review the PCPs in isolation.

Authorisations teams use checklists when reviewing the risk assessment and policies, controls and procedures for MSBs and TCSPs which can be found in the Knowledge Library - see ECSH45815.

You may identify areas of the PCPs that you want to ask further questions about. To help you when reviewing the document, you could highlight the areas on the copy of the document or annotate it. This can be done digitally or  on the paper copy. Consider the security implications if you are travelling with paper copies. See the information in HMRC Security and Information Zone - Home. You must ensure a copy of the PCPs with any notes you have added is uploaded to the document store of Caseflow.

You should also incorporate any questions you want to ask, based on your review, into your aide memoire or topic plan if you use one. For example, you could reference a specific page, line or topic and ask any questions to the business you may have in relation to it.

Additionally, you may identify additional procedures that the PCP documents do not cover, for example, procedures to mitigate a specific risk. Again, you can add this to your aide memoire or topic plan and discuss this during your compliance check – see ECSH32930.


Templates and third-party providers

For information on templates and third-party providers, see the guidance titled “Templates and third-party providers” within ECSH33205 Checking risk assessment and management.


Results from initial review

After your initial review of the PCPs, you must consider your findings. Some questions to consider are covered in ECSH32910 Results from initial contact and review of documents.


Checking the PCPs through questioning

Whether you have received the PCPs documents from the business or not, it is essential for you to have a conversation with the business about the PCPs that have been implemented. You should be aware that the PCPs in practice may differ from those written down. If there are PCPs in place which are not included in the written documents, you must establish:

  • Why are they not in writing?
  • Isthis because they are new PCPs?
  • When were they established?
  • Are there any other records in writing which cover the PCPs which you may need to consider?

This will help you to understand whether there is a breach of regulation 19(1)(b) and/or 19(1)(c) MLR 2017.

You must also consider whether the PCPs in place are being followed in practice. If not, you should consider whether the business has failed to maintain (implement, monitor and adhere to) its PCPs under regulation 19(1)(a) MLR 2017.

Remember, the business must establish and maintain its PCPs, it must do both (establish and maintain). If it has failed to do one or both, there will be a breach of MLR 2017.

Also remember, if a business has not established and maintained PCPs because it has failed to assess a risk, the breach will be under regulation 18(1) MLR 2017.


Who is responsible for the policies, controls and procedures?

It’s important to note that the business is responsible for the PCPs even if they have been provided by an independent adviser.

Similarly, a franchisor may have provided PCPs to its franchisees. However, franchisees that are independently registered for anti-money laundering supervision, must ensure they comply with the requirements of MLR 2017 and other legal and regulatory requirements .

For principal and agent relationships, most commonly seen in money service businesses, you must read the guidance in ECSH51080

You should also ensure you have read the “the MSB best practice” guidance within ECSH63390.


What to establish when checking the policies, controls and procedures

For more information on what to look for and establish when checking PCPs, you must read the guidance in ECSH63390 Regulation 19 and ECSH63395 Regulation 19A.

Additionally, you should consider whether the business has:

  • Established effective PCPs to prevent each of the ML/TF/PF risks identified in the business’s risk assessment.
  • Established effective PCPs to prevent each of the ML/TF/PF risks detailed in the sector guidance, “Understanding risks and taking action” guidance and the National Risk Assessment.
  • Maintained (followed) its PCPs.
  • Reviewed its PCPs regularly.
  • Kept a record in writing of the PCPs.
  • Kept a record of changes to the PCPs.
  • Kept a record of communications to staff regarding the PCPs.

You should also consider whether the PCPs:

  • Are proportionate and approved by senior management (under regulation 19(2) MLR 2017).
  • Include all the points of regulations 19(3),19(4) and 20 MLR 2017 (where applicable).
  • Include details about identifying and reporting suspicious activity.
  • Include any simplified procedures where appropriate.
  • Have improved if the business was in breach from a previous compliance check.
  • Have been communicated to the business’s branches and subsidiaries which are located outside the UK if applicable (under regulation 19(6) MLR 2017).

Your evaluation of how effective the PCPs are will be determined by undertaking a range of risk-based tests to check the level of customer due diligence measures applied and appropriate reporting of suspicious activity - see ECSH33700  and ECSH33600.

You must ensure you test the PCPs are working in practice to establish which (if any) of the above bullet points have not been met when considering whether there are any gaps in the PCPs leading to breaches to MLR 2017.

To address the risks that have been identified in the risk assessment, you may need to ask questions such as:

  • Are higher-risk customers and transactions subjected to enhanced levels of customer due diligence and monitoring ?
  • What customer monitoring arrangements are put in place?
  • What the business considers “complex” or “unusually large”
  • How are higher-risk transactions recognised and subjected to the appropriate level of scrutiny?
  • (For MSBs, high value dealers (HVDs), art market participants (AMPs) and letting agency businesses (LABs) is there a system to identify transactions that have been split into smaller amounts below the threshold for verification of the customer’s identity?
  • (For MSBs, HVDs and AMPs) is there a system to identify and scrutinise unusual patterns of transactions which have no apparent economic or visible lawful purpose?
  • In what circumstances, are individuals and businesses checked against Sanctions?
  • How does the business keep its risk-awareness and controls up to date?