ECSH33710 - Records testing: initial sample

After you have decided on the relevant period to test, you will need to decide how many customers or transactions to test and which customers or transactions in that period you want to focus on initially.


(This content has been withheld because of exemptions in the Freedom of Information Act 2000)


How many customer or transaction records should you test?

The number of customers or transactions you need to check will depend on the type of business, the size and nature of the activity, and the risks involved.

If there are few relevant transactions, you may decide to look at records relating to them all.

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)

You may start off testing a few customers or transactions to gain an understanding of what to expect. You will then have a better indication of an appropriate number to test, and extend your initial sample based on your initial findings.  

If the initial findings show consistent breaches of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) you may ask the business to agree that the breaches would exist in all customers if testing continued. You will need this when determining an appropriate sanction. You need to ensure that the test samples and the risk areas selected are reasonable and represent the overall business fairly and accurately. Where insufficient transactions are sampled, it would not provide robust evidence to demonstrate that an issue is widespread (or systemic).

You may need to discuss with the business what a representative sample of its transactions or customers would be, or whether it is satisfied the numbers tested are representative of the business as a whole. You will also need to get its agreement that the results found are a fair representation of the business. If not, you may need to extend your sample to include other customers. This agreement should be recorded in your notes of meeting.


Which transactions to test

You will need to select a range of customers or transactions to test the CDD measures (and simplified due diligence (SDD) and enhanced due diligence (EDD) where appropriate) are working in practice to mitigate the risk of money laundering or terrorist financing. Where a business assigns a risk rating to transactions or customers, select a sample of low, medium, and high-risk customers to confirm the business is taking a risk-based approach to CDD, and is adjusting checks to respond to risks rather than taking a tick box approach.

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)

Extending the initial sample

If you have reviewed the records selected in your initial sample and you have not identified any areas of concern, you may decide to select another sample to test.

For example, you initially select a 3-month period to test CDD carried out by an art market participant (AMP) but you find that only a few of the transactions contain works of art which are in scope for supervision. You therefore decide to extend the relevant period to 12 months so that additional transactions are included and provide confidence that the CDD controls are working.

If you find areas where the business has not followed its own procedures or is not meeting the requirements set out in MLR 2017, you need to consider the gravity and duration of the breaches and must quantify the number of customers/transactions affected. You can widen your selection at any point to quantify a specific risk by testing more transactions/customer relationships or selecting a longer trading period.

You must explain your rationale for the type (and volume) of records selected for testing in your decision and evidence log (DEL).