Economic Crime Supervision Handbook

ECSH55175 - Compliance checks during a letting agent business intervention

You should refer to ECSH33000 when considering how to test compliance with The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) during a compliance intervention.

The information below is supplementary and focuses on specific circumstances you may come across during a compliance intervention.

You should seek to understand all letting agency business (LAB) services (relevant activity) conducted by the business, as well as any other services it provides within scope of MLR 2017, such as estate agency business (EAB) activity. You must understand how the business has risk assessed each area of its relevant activity and how it manages and mitigates those risks. Record testing should span all the relevant activity the business undertakes. For example, where a LAB provides both relevant commercial and residential lettings, and also provides EAB services, records should be selected from both sub-sectors and the EAB services.

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)

General money laundering, terrorist financing and proliferation financing risks for LABs can be found at ECSH55125. 

Guidance

HMRC’s guidance for Estate and Letting Agent Businesses gives information to assist LABs in complying with their obligations under MLR 2017. This is available on gov.uk.

HMRC’s assessment of the MLR risks relevant to the LAB sector (‘Understanding Risk and Taking Action for Letting Agent Businesses) is published here.

HMRC is required to publish this guidance in its risk assessment by regulation 17(9) MLR 2017.

LABs must take these publications into consideration as part of their compliance obligations under MLR 2017. A compliance intervention to a LAB should therefore include establishing whether and to what extent they have considered these publications and followed their guidance. LABs should be expected to provide an explanation for any departure from this guidance.

 

Generic Risk Assessment (RA) and/or Policy, Controls and Procedures (PCPs) documents

You may find that a LAB has purchased RAs and/PCP documents from one of a number of firms that operate in producing these for the lettings agent sector. These may be produced to you as evidence of compliance with MLR 2017. These types of documents are often generic in nature and do not properly assess or mitigate and manage the specific risks to which the business is subject, as required by MLR 2017. For more information on checking RAs and PCPs see ECSH32625 and ECSH32650.

 

Customer Due Diligence (CDD)

Regulations 27 and 28 MLR 2017 set out CDD obligations of a relevant person. Section 6 of the LAB guidance provides detailed information on the specific measures that a business should consider implementing to demonstrate that satisfactory CDD and enhanced due diligence (EDD) measures have been conducted. A relevant person’s EDD obligations are set out in regulation 33 MLR 2017.

It is also necessary for a LAB to demonstrate that sufficient information on the rental, property and transaction itself has been risk assessed in relation to possible involvement in money laundering, terrorist or proliferation financing activity. Once an assessment has been put in place, ongoing monitoring must be carried out to confirm that the risk has not altered or to identify changes which may warrant additional risk mitigation measures.

HMRC’s ‘Understanding Risk and Taking Action for Letting Agent Businesses include non-exhaustive lists of potential risk factors for LABs to consider when determining appropriate risk based CDD measures.

 

Suspicious Activity Reports (SARs)

The Proceeds of Crime Act 2002 (POCA) creates an offence of failing to make a report of suspicious activity.This applies to nominated officers and employees of LABs. Under MLR 2017, a business must have PCPs in place requiring everyone within the business to comply with their obligations under POCA . If employees, including the employees of agents, know or suspect, or have reasonable grounds for knowing or suspecting, that another person is engaged in money laundering or terrorist financing and that information comes to them in the course of the business, they must make a suspicious activity report.

Under MLR 2017, a regulated business must appoint a nominated officer to receive reports of suspicious activity from staff.The business’s nominated officer, or their appointed alternative, must consider all internal reports. The nominated officer must make a suspicious activity report to the National Crime Agency (NCA) as soon as it is practical to do so, even if no transaction takes place, if they consider that there is knowledge, suspicion or reasonable grounds for knowledge or suspicion that another person is engaged in money laundering, or financing terrorism.

The business must consider whether it needs to seek a defence against money laundering or terrorist financing offence (DAML) (formerly known as a consent SAR) from the NCA before proceeding with a suspicious transaction or entering into arrangements.

 

Discrepancy Reporting 

Regulation 30A MLR 2017 requires LABs to report material discrepancies regarding its customers to Companies House. A material discrepancy is when the information a LAB holds on a customer is significantly different to the information recorded by Companies House about a person of significant control (PSC) of a company, or a registrable beneficial owner of an overseas entity e.g. a difference in name, date of birth or nationality. 

Detailed information can be found here.

 

Training

Where the LAB has employees, the LAB should be assessed for compliance with the training obligations under regulation 24 MLR 2017. You may find that a LAB has purchased training material from one of a number of firms, either that operate in producing it for the letters or property sector or produce generic Anti-Money Laundering (AML) training. In all cases, the training provided to staff of a LAB must be recorded.  Training must include how the LAB has made their employees aware of the MLR 2017 and data protection laws and be appropriate for employees to be able to recognise and deal with transactions/activities/situations which may be related to money laundering or terrorist/proliferation financing.  

 

Records

Regulation 66 MLR 2017 gives officers of HMRC the authority to request sight of any documents that they consider necessary for them to assess whether a LAB has complied with its obligations under MLR 2017, provided that the request is reasonably required in connection with the exercise by HMRC of any of its supervisory functions.

In some circumstances, it may be necessary to request the LAB’s records of transactions, identity verification, etc. It would be reasonable for an officer to ask to see the documents to verify that the business has been following its own risk assessment process, and abiding by its policies, controls and procedures. It would be reasonable to ask to see the documents to verify this, as the request has an MLR related purpose (testing of Customer Due Diligence and ongoing monitoring of a business relationship measures). 

It is reasonable in all cases however, to ask to see evidence that the LAB has verified the identity of the customer as part of their CDD measures. Where the LAB has written AML policy documents, risk assessment documents and spreadsheets compiled for ongoing monitoring purposes these should be inspected.

 

General Data Protection Regulations (GDPR)

A LAB may have concerns that by keeping records relating to its customers for the periods and purpose as specified in MLR 2017, or by sharing records during a compliance intervention, this may breach their GDPR obligations. In this case, the LAB should be referred to regulation 72(2) MLR 2017. Regulation 72(2) and (3) MLR 2017 provide that a businesses’ compliance in providing information pursuant to regulation 66, 69, 70, 74A or 74B does not carry with it a civil liability for breaching GDPR obligations nor does that provision of information automatically breach restrictions on the disclosure of information.

Further information on GDPR and its impact on businesses can be found at ECSH10500 and record keeping obligations at ECSH33520.