ECSH33400 - Checking internal controls and compliance monitoring


During a compliance check, you should ensure that the business has internal controls in place to monitor and manage its compliance with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations (MLR 2017).   

The requirements for internal controls are set out in Regulation 21 of the MLR 2017. You should ensure you read the technical guidance which covers what internal controls are required, what to establish, and how to test complianceSee ECSH 63405  

Internal controls should be appropriate to the size and nature of the business and the risks of the clients and/or services.Some controls may be manual,and some built into the business’s IT systems.Below are some non-exhaustive examples: 

ensure customer identification and acceptance procedures reflect the risk characteristics of customers 

to identify when a customer or beneficial owner is a politically exposed person (PEP) and ensure additional controls are in place for approving transactions with them 

systems are capable of picking up and flagging warning signs of potentially suspicious activity 

systems can identify when transactions are with or through high-risk third countries and the business is taking additional measures to manage and lessen the risk 

You need to check the business is carrying out regular assessments of its internal controls and systems to make sure they are working.You should consider: 

who is responsible for checking that the internal controls are working? 

does the business have an internal audit department? 

if so, how often are checks carried out? 

does the business have any reports? (You may want to ask to see the latest report) 

has the business had any external audits done? 

if so, you may want to ask about their findings and any actions the business has taken following this 

You should also consider who is appointed as the nominated officersee ECSH 33111 Nominated officer, and compliance officer where necessary – see ECSH 33112 Compliance officer – to ensure they can carry out their role/s effectively. 

What the business does to monitor compliance and check that internal controls are working should be explained in the business’s policies, controls and procedures – see ECSH 33210 Establishing policies, controls and procedures.  

You should check the businessis doing what is described in writing and that it is appropriate to the size and nature of the business. For example, the expectation for a very small business is different than a large business with multiple branches. For more guidance on what is appropriate, see the technical guidance in the link above. 

Its important to consider whether the business meets the requirement to establish and maintain systems to respond “fully and rapidly” to enquiries from law enforcement authorities, as to whether it has had a business relationship with any person, andthe nature of that relationship, within the last 5 years. 

Businesses with agents and/or branches 

If the business has agents included within its registration, you should consider how risk and compliance are managed in respect of Fit and Proper criteria, customer due diligence, transaction monitoring and reporting suspicious transactions. 

If the business has branches or agents, you should establish whether site visits are carried out to branches or agents to check compliance.If so, you should check the compliance audit indicates the branch visited, files reviewed, staff spoken to and whether the check was satisfactory or what remedial actions were taken. If not, you should consider how the business monitors agent/branch activity and consider whether any additional premises should be visited – see ECSH 32630 Visits to a business with a large number of branches.