Economic Crime Supervision Handbook

ECSH33215 - Communication of policies, controls and procedures

Introduction

After you have established the policies, controls and procedures (PCPs) a business has in place (see ECSH33210), you should ask the business to explain how it communicates them to relevant staff members, agents, subsidiaries, and branches depending on the business structure.

PCPs need to be communicated within the business to ensure that all staff undertaking relevant activity are aware of the most up to date PCPs to mitigate and manage the risks of money laundering, terrorist financing and/or proliferation financing (ML/TF/PF) identified by the business in its risk assessment.

For guidance on the risk assessment, see ECSH63380 Regulation 18 - Risk assessment by relevant persons and ECSH63385 Regulation 18A - Risk assessment by relevant persons in relation to proliferation financing.

Internal communication of PCPs is required by regulation 19 and regulation 19A of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017).

For guidance on the PCPs, see ECSH63390 Regulation 19 and ECSH63395 Regulation 19A - Policies, controls and procedures in relation to proliferation financing.

A parent company that carries out relevant activity must ensure that it complies with regulation 20 where it has subsidiaries and branches, including those located outside the UK, that carry out any activity subject to MLR 2017. This includes the requirement that the business must tell HMRC if any subsidiaries or branches cannot follow the parent company’s normal procedures.

For more guidance, see ECSH63400 Regulation 20 – Policies, controls and procedures: group level.

How to check the internal communication of the policies, controls and procedures are effective

During the compliance check, you should consider asking questions to establish how the PCPs are communicated to the relevant people depending on the business structure. Questions may include:

• how are the PCPs communicated to new staff (by email, verbally in formal/informal meetings?)?
• how are the PCPs communicated to agents, branches, and subsidiaries (where applicable)?
• how are any changes to the PCPs communicated to staff?
• is there a record of the communication of the PCPs?

You may decide to speak to relevant staff members to check their understanding and awareness of the PCPs and to check how they are notified of any changes to the PCPs.

Depending on the risks and what the business has told you, you may want to ask to see records of the PCPs being communicated such as notes of internal meetings and emails.

You should consider that the PCPs may be communicated in different ways. For example, changes to procedures which affect client facing staff may be communicated in meetings. The procedural changes could be specific to the job role and what they need to do as part of their role such as customer due diligence. An example of controls being communicated could be in the form of pop-ups or restricted fields on a business’s IT system which could act as reminders or limit the value of the transactions which are put through the system.