ECSH33220 - Anti money laundering training

Introduction

After checking the risk assessment ,establishing the policies, controls and procedures (PCPs) and the communication of the PCPs, you should establish what anti-money laundering, counter terrorist and proliferation financing (AML/CTF/CPF) training is provided to staff.

Training is required by regulation 24 of the Money Laundering, Terrorist Financing and Transfer of Funds (information on the Payer) Regulations 2017 (MLR 2017) to ensure relevant staff are:

  • Made aware of the law relating to money laundering, terrorist financing and proliferation financing (ML/TF/PF), and to the requirements of data protection relating to MLR 2017.
  • Regularly given training in how to recognise and deal with transactions and other activities or situations which may be related to ML/TF/PF.

You must ensure you read the technical guidance in ECSH63415 Regulation 24 - Training.

 

What the anti-money laundering training must include

You must establish what the training includes and ensure it meets the requirements of regulation 24 of the MLR 2017. Follow the “What to establish” section in ECSH 63415 Regulation 24 – Training.

You should consider if the training adequately provides the following:

  • The requirements of MLR 2017, Part 7 of the Proceeds of Crime Act 2002 and sections 18 and 21A of the Terrorism Act 2000.
  • Information on how to recognise and deal with transactions or other activity which may be related to ML/TF/PF.
  • Information on what suspicious activity could look like? See sector specific risks and red flag indicators published in the sector guidance on GOV.UK.
  • Information on what to do when customer activity raises suspicion.
  • Data protection requirements.

 

Different types of anti-money laundering training 

MLR 2017 are not prescriptive in the type or form of training which is to be provided to staff. You should be aware that training may include:

  • Face to face training sessions.
  • Online training sessions.
  • HMRC webinars.
  • Going to conferences.
  • Attending internal meetings to discuss the business procedures.
  • Reading relevant publications.
  • Meetings to look at the issues and risks.

Please note that this is not an exhaustive list of training. You may find that a business uses a combination of different types of training depending on the size, nature, and structure of the business. Some businesses also use external providers to deliver training.

There is also e-learning available to businesses on GOV.UK. It is found in the same place as the HMRC webinars. The e-learning available is referenced as "guidance" but are training modules. They vary in length based on the sector and the subject being discussed. You should review the link and then ensure that you also provide it to and discuss it with the business.

 

Who needs to be trained

The business must make sure that relevant employees and agents, whose work is described in regulation 24(2), are trained.

Before you can test whether the measures taken are appropriate, you must establish which members of staff carry out activities in relation to MLR 2017. These will vary from business to business but may include members of a compliance or internal audit team, customer facing staff, accounts staff who process payments or monitor payments into the business’s bank account, as well as the nominated officer and compliance officer.

When carrying out records testing , you may also create your own list of staff and agents who are shown within transaction records, to check against training records.

For more information on who needs to complete AML/CTF/CPF training within a business, see the “What to establish” section within ECSH 63415 Regulation 24 - Training.

 

When is anti-money laundering training needed

MLR 2017 is not prescriptive on when training must be provided or how frequently. You should establish when training is given to new starters and how learning is reviewed and updated. This may include any updates to the legislation, staff changing roles, new products or services, or any changes to the business’s risk assessment, policies, controls or procedures.

It is for the business to determine how often staff and agents are trained. 

You should question the business on how it has determined this and whether it has taken into account the factors in regulation 24(3) MLR 2017. Consider whether this is appropriate. For example, this will look different in a money service business (MSB) who is a sole trader as opposed to a principal with an agent network.

For more information, refer to Part I, Chapter 7 of the Joint Money Laundering Steering Group (JMLSG) guidance.

 

Testing the anti-money laundering training

To test compliance with MLR 2017 and check that AML/CTF/CPF training is given to relevant employees and agents, you should read the guidance titled “How to test compliance and evidence to obtain” within ECSH 63415 Regulation 24 - Training.

As part of your planning and preparation for your compliance check, when undertaking your initial review, you should review the description of the training undertaken by the the beneficial owners, officers and managers (BOOMs) of the business) in the application form on ETMP.

You may ask to see training records during a compliance check, or to help you determine a business’s application to register for anti-money laundering supervision – see ECSH 45815 The fit and proper test – RA and PCP inspection. This is to ensure the business can demonstrate it will comply under regulation 59(1)(e).

The records you may ask to see may include but are not limited to:

  • Training certificates.
  • Human Resources (HR) records.
  • A training record/log.
  • Diary or calendar entries.
  • Emails sent to members of staff providing updates or changes to the law.

Remember, it is a requirement of regulation 24 MLR 2017 that the business must maintain a record in writing of the training it has provided and its contents. MLR 2017 are not prescriptive about the type of record in writing that is kept, and different businesses may record the training in different ways.

If you are requesting training records to be sent to you, you should consider the ways in which information and documents can be sent to you securely - see ECSH 33725 Electronic documents and records.

When reviewing the training records you should consider the following:

  • Have all relevant employees completed training? If not, why not? You can check individual names recorded in a training record/log against the list of relevant employees who need to be trained (see above).
  • What date was the initial training completed – was it before accepting relevant activity or being provided with relevant system logins?
  • What training has an individual been provided with since the initial date recorded?
  • Has training been completed following an update to MLR 2017? (you should check the dates of any updates to MLR 2017 against the dates training has been provided).
  • Has training recently been completed, and if so, is this the first-time training has been done or is it part of ongoing training? (consider the duration of the staff member’s employment in a role which requires AML/CTF/CPF training).

If the training records you are reviewing are incomplete or if you have any further questions following your review, you should discuss this with the business to check your understanding. For example, you may have concerns around the timing of training (such as a new starter undertaking relevant activity before completing their training) or that a relevant member of staff isn’t shown with the records.

You will also need to review the training material to ensure it is correct, and ask the business questions surrounding this, such as:

  • How does the business check that staff members have understood the training and know how to apply what they have learned?
  • Do staff and agents take any tests as part of the training to check their knowledge? If so, is there a pass mark? What happens if they do not achieve the required pass mark?
  • Is the training proportionate and reasonable in relation to the risks of ML/TF/PF the business is exposed to?

You may want to speak to members of staff to make sure that training has been effective and that they:

  • Understand the law.
  • Can explain what suspicious activity they look out for when carrying out their role.
  • How and when they would report it, and
  • What they would tell the customer if a transaction is delayed or refused.

It is also important to establish which members of staff were concerned in any MLR 2017 breaches you find. For example, you may establish customer due diligence breaches have only occurred in a particular branch, at a particular agent’s premises, or in transactions accepted by an individual sales representative. Having a full understanding of the training provided and records to confirm this, will help you evidence that a breach occurred due to a lack of training.

Where a member of staff hasn’t been trained, but also hasn’t carried out any relevant activity or been concerned in any breaches, you will need to consider how this may impact the outcome of your compliance check.