ECSH54675 - AMP risk and compliance checks
You should refer to ECSH33000 when considering how to test compliance with the Money Laundering Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017(MLR) at a compliance visit. The information below is supplementary and focuses on specific circumstances you may come across whilst on an Art Market Participant (AMP) visit.
(This content has been withheld because of exemptions in the Freedom of Information Act 2000) But for a full compliance visit, an officer should seek to understand all AMP services (relevant activity) conducted by the AMP, how the AMP has risk assessed each area of its AMP activity and how it manages and mitigates those risks.
Record testing should span all of the AMP services provided. For example, where a business sells directly to customers and also conducts AMP-to-AMP sales, records should be selected from both sub-sectors.
Where the AMP carries out relevant activity in another supervised sector, such as an HVD, an officer should seek to check the business’s compliance with the MLRs in respect of that additional sector(s). Record testing should span all sectors of relevant services provided by the business, including where provided in combination.
Information on general money laundering, terrorist financing and proliferation financing risks for AMPs can be found at ECSH54625.
Guidance
The guidance for AMPs is published by the British Art Market Federation (BAMF), unlike most of the other sectors supervised by HMRC, for whom HMRC issues its own guidance.
The BAMF guidance is intended to assist AMPs in complying with their obligations under the regulations. This is available here.
HMRC’s external risk narrative (‘Understanding Money Laundering Risks and Taking Action for Art Market Participants), which provides risk indicators and guidelines to AMPs on risk characteristics, is published on gov.uk. AMPs must take both the BAMF guidance and HMRC’s risk narrative into consideration as part of their compliance obligations under the Regulations. A compliance visit to an AMP should therefore include establishing whether and to what extent they have considered these publications and followed their guidance and any other guidance referred to within it.
Generic Risk Assessment (RA) and/or Policy, Controls and Procedures (PCPs) documents
You may find that an AMP has purchased risk assessment and/or policy, controls and procedures documents from one of a number of firms that operate in producing these for the art market. These will be produced to you as evidence of compliance with the MLR 2017s. However, some of these may be generic in nature. A business’ RA and PCPs must be specific to the risks they have identified in their services and customers; generic documents are therefore unacceptable as they are not tailored to the individual circumstances of the AMP.
For more information on checking RAs and PCPs see ECSH32625 and ECSH32650.
Customer Due Diligence (CDD)
Regulation 28 MLR 2017 sets out the requirements for CDD checks. Section 6 of the AMP guidance provides detailed information on the specific checks that a business should consider implementing to demonstrate that satisfactory CDD and, where appropriate, enhanced due diligence (EDD) measures are in place. EDD measures and requirements are set out in regulation 33 MLR 2017.
In addition to demonstrating it has identified its customers and verified their identity, it is also necessary for an AMP to demonstrate that sufficient customer information, and on the transaction itself, has been risk assessed in relation to possible involvement in money laundering, terrorist or proliferation financing activity.
If the transaction amounts to a business relationship, once such an assessment has been put in place, ongoing monitoring must be carried out to confirm that the risk has not altered or to identify changes which may warrant additional risk mitigation measures.
HMRC’s published risk narrative - ‘Understanding Money Laundering Risks and Taking Action for Art Market Participants’ includes non-exhaustive lists of potential risk factors for AMPs to consider when determining appropriate risk-based controls, including CDD/EDD measures.
High Risk Third Countries (HRTCs)
Regulation 33(1)(b) MLR 2017 requires regulated businesses (‘relevant persons’) to apply EDD measures and enhanced ongoing monitoring in any business relationships with a person established in an HRTC or in relation to any relevant transaction where either of the parties to the transaction is established in an HRTC.
A relevant transaction means a transaction in relation to which the relevant person is required to apply customer due diligence measures.
Being established in a country means:
- in the case of a legal person, being incorporated in or having its principal place of business in that country, or, in the case of a financial institution or a credit institution, having its principal regulatory authority in that country.
- in the case of an individual, being resident in that country, but not merely having been born in that country.
A HRTC is defined as a country named on either of the following lists published by the Financial Action Task Force:
(i) High-Risk Jurisdictions subject to a Call for Action;
(ii) Jurisdictions under Increased Monitoring
These lists are updated regularly, with countries being added or removed from the lists. It is important to regularly review them and ensure understanding of the countries on them.
An understanding of HRTC is essential in AMP cases, due to the often international nature of the art market.
The latest HMT Guidance on HRTCs is available at: Money Laundering Advisory Notice: High Risk Third Countries - GOV.UK (www.gov.uk).
Suspicious Activity Reports (SARs)
An AMP is also required to demonstrate it complies with MLR 2017 regarding the submission of Suspicious Activity Reports (SARs). Businesses are required under Part 7 of the Proceeds of Crime Act 2002 (POCA) and the Terrorism Act 2000 to submit a SAR in respect of information that comes to them in the course of their business if they know, or suspect or have reasonable grounds for knowing or suspecting, that a person is engaged in, or attempting, money laundering or terrorist financing. MLR 2017 require a business to have appropriate PCPs in place that will enable the submission of SARs.
Discrepancy Reporting
Regulation 30A MLR 2017 requires AMPs to check the companies house register and report material discrepancies regarding its customers to Companies House. A material discrepancy is when the information an AMP holds on a customer is significantly different to the information recorded by Companies House about a person of significant control (PSC) of a company, or a registrable beneficial owner of an overseas entity. An example of a significant difference could be a difference in name, date of birth or nationality of a PSC. Detailed information can be found on GOV.UK.
Training
Where the AMP has employees, the AMP should be assessed for compliance with the training obligations under regulation 24.
You may find that an AMP has purchased training material from one of a number of firms, either that operate in producing it for the art sector or produce generic Anti-Money Laundering (AML) training. In all cases, the training provided to staff of an AMP must be recorded.
Training must include the following:
- Training to ensure the AMPs employees aware of the MLR 2017s and data protection laws that are relevant to implementing the regulations.
- Training for employees on how to recognise and deal with transactions/activities/situations which may be related to money laundering or terrorist/proliferation financing.
Records
Regulation 66 MLR 2017 gives officers of HMRC the authority to request by notice in writing any information and sight of any documents that they consider necessary for them to test whether an AMP has complied with its obligations under MLR 2017, provided that the request is reasonable.
It may be necessary to ask to see the AMPs records of transactions, identity verification, property ownership documents etc. It would be reasonable for an officer to ask to see the documents to verify that the business has been following its own risk assessment process, and abiding by its policies, controls and procedures. It would be reasonable to ask to see the documents to verify this, as the request has an MLR-related purpose (testing of Customer Due Diligence and ongoing monitoring of a business relationship measures).
It is reasonable in all cases however, to ask to see evidence that the AMP has taken action to identify and then verify the identity of the customer as part of their CDD measures. The AMP is required to have written AML policy documents and ML/TF risk assessments and these, along with any spreadsheets compiled for ongoing monitoring purposes, should be inspected.
General Data Protection Regulations (GDPR)
An AMP may have concern that by keeping records relating to its customers for the periods and purpose as specified in the MLR 2017s, or by sharing records during a compliance visit, may breach their concurrent GDPR obligations. The excuse of 'breaching GDPR' can be countered by reference to Regulation 72(2). of MLR 2017.
Regulation 72(2) and (3) MLR 2017 provide that a businesses’ compliance in providing information pursuant to regulation 66, 69, 70, 74A or 74B MLR 2017 does not carry with it a civil liability for breaching GDPR obligations nor does that provision of information automatically breach restrictions on the disclosure of information.