ECSH63380 - Regulation 18 - Risk assessment by relevant persons
The Law Regulation 18 - Risk assessment by relevant persons
What it means
A relevant person/business must identify and assess the risk of Money Laundering and Terrorist Financing ('MLTF') to its business. Remember - 'must' denotes a legal obligation; undertaking a risk assessment (RA), which is specific to the business, is not optional and failure to do so is a breach of Regulation 18.
The RA must be specific to the nature of the activities and the organisational structure (including branches and agent networks). The RA must consider risks published by HMRC in sector risk assessments and guidance on GOV.UK, along with the 5 factors shown in the “What to establish” section below.
Purpose
A relevant person/business needs to know the risks faced and how severe those risks are - without this, it wouldn't be possible to prevent the business being exposed to MLTF.
Time Line
The subject of risk assessment and management is referred to in Reg 20 MLR2007 (Policies and procedures).
What to establish
18(1) - Has the relevant person/business taken appropriate steps to identify and assess the risks of ML/TF - This is a fundamental requirement which is in two parts – firstly to identify a risk and then assess the likelihood and impact of the risk.
“Appropriate steps” include whether it has followed published guidance and has considered whether the risks shown in our published sector risk assessment are present within the business. Information published on GOV.UK shows the date guidance came into force and any subsequent revisions made. It’s important that you only refer to guidance available during the trading period being reviewed.
For example, if a risk was added to sector “Understanding risk and taking action” in October 2022, you cannot expect a business to have considered the risk in its own risk assessment until after that date.
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
18(2)(a) - You must review the business’s documents alongside the published guidance and external risk assessment. What is the business's awareness of HMRC's published guidance?
Has it read the “Understanding risks and taking action” guidance alongside the National Risk Assessment?
What information has it taken into account regarding high risk third countries (HRTC)?
The table in the Schedule 3ZA tab shows when countries were added and/or removed as a HRTC- Note: Sch 3ZA tab is still there but list was omitted on 23 Jan 2024, now use the FATF list of High-risk and other monitored jurisdictions - using this hyperlink in your browser:
High-risk and other monitored jurisdictions
Is the business aware FATF publishes reports on countries in which the business, or its customers, may operate?
Has it used any of these documents when compiling its RA?
If not, why not?
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
18(2)(b) - Has the business properly considered the risk factors relating to: customers; countries or geographical areas in which it operates; its products or services; transactions; and delivery channels
18(3)- How big and complex is the business? Have risk factors been considered for all facets of the business?
18(4) - Is there a written record of the steps taken when assessing their business? - Fundamental Requirement
18(6) - Can they provide the information on which the risk assessment was based in writing upon request
How to test compliance and evidence to obtain
Prior to your first meeting, where possible and applicable, obtain a copy of the latest Risk Assessment and with version control/amendment history. Ensure a written record of the Risk Assessment process is available.
The Risk Assessment and PCP documents may not be separate documents. Question the business about its perceived level of risk and challenge their response as necessary, keeping a clear record of this exchange in notebook and notes of meeting. Question the business to find out they operate. Find out the end-to-end process of a transaction. What risks have been identified and how have they been assessed.
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
Best Practice
Obtain a copy of the latest Risk Assessment at the start of the intervention and prior to visit/interview. Ask for a version/amendment history if appropriate. (This content has been withheld because of exemptions in the Freedom of Information Act 2000) During your meeting, ask the relevant person/business if the risks captured in the RA and discussed during the meeting are a complete record of the risks which have been identified and assessed - record this question and the response clearly in your notes of meeting. Consider the contents of the Regulation 18 walk through.
AMP - The business should take account of the following when assessing risk: who is ultimately buying the artwork and where the AMP sits in each deal chain (e.g. is the AMP acting for the final customer or for another intermediary). Where the artwork is displayed/stored and if this is usual for the area/country. The type and value of artworks generally traded. The provenance of artwork/proof of ownership and method of payment, including transactions deliberately broken down to avoid the 10,000 euro threshold. How the artwork will be delivered to the ultimate beneficial owner.
ASP - The business should take account of the following when assessing risk: Client profile. Whether it has clients who are in an unusual location in relation to the ASP or operate outside the UK. If the services it offers (or combination of services) carry a higher risk than others. If clients pay in cash or are involved in a cash intensive business. If it meets its clients face to face or if verification is carried out by other means.
EAB - The business should take account of the following when assessing risk: Complex ownership structures with an opportunity to hide underlying beneficial owners. Operating in high risk countries or geographic areas of risk including overseas buyers/sellers. The types and values of properties sold (e.g. residential, commercial, super prime (>£5M) etc). How properties are financed. Buyers and sellers they do not meet face to face.
LAB - The business should take account of the following when assessing risk: The types of clients and reasons behind high value lettings. Clients operating in high risk countries or geographic areas of risk. The types and values of properties involved. How rentals are financed (e.g. the risk of disposal of criminal funds). Clients who they do not meet face to face.
HVD - The business should take account of the following when assessing risk: different customers types and why they want to pay in cash. Customers travelling large distances to purchase goods and/or deliver cash, particularly for goods exported to countries with high levels of corruption or with restrictions on the use of cash (often undeclared at the point of exit/entry). Types of goods, especially those known to be attractive to criminals (e.g. precious metals and stones, luxury goods/cars, wholesale alcohol and other goods used in supply chain fraud). Transactions deliberately broken down to avoid the 10,000 euro threshold, either using multiple invoicing or when depositing cash into a bank. Goods diverted to a different end user and/or cash delivered by an unknown third party, including Informal Value Transfer Systems (IVTS) and using MSBs to deliver cash on behalf of overseas customers.
MSB - The business should take account of the following when assessing risk:
Agent networks and the risks associated with lengthening transaction chains.
Countries/geographic areas funds being transmitted to - if this includes High risk jurisdictions (as set out by the Financial Action Task Force), has this been recognised and is Enhanced Due Diligence being applied to all transactions? Hawala banking systems - traditionally a ledger-based offsetting financial arrangement, meaning that funds do not physically move across borders/territories. How transfers of funds "settled" - does this involve third-party payments and/or informal value transfer? If yes, has this been recognised as high-risk methodology?
When considering whether the thresholds set are appropriate, you should consider the "size and nature" of the business - for example average transaction size VS threshold amount.
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
The use of agent networks or Intermediary Payment Service Providers, Hawala or Informal Value Transfer Systems (IVTS) to execute transactions.
Please read and consider - Understanding risks and taking action for money service businesses.
Please read and consider HMRC's published guidance for MSB's.
Please read and consider EU policy on high-risk third countries Regulation 18 walk through.
TCSP - The business should take account of the following when assessing risk:
Who its clients are and why they are using its services, including those involving complex ownership structures that do not appear to make financial sense.
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
If it meets its clients face to face or if verification is carried out by other means.
Further Reading
JMLSG guidance part 1, chapter 4 including annexes 4-I, 4-II and 4-III
Risk assess your business for money laundering supervision
The Money Laundering and Terrorist Financing (High-Risk Countries) Regulations 2021
National risk assessment of money laundering and terrorist financing 2020
National risk assessment of money laundering and terrorist financing 2017
Office of Financial Sanctions Implementation
Customer due diligence measures - Regulation 28
FAQs
What if the Risk Assessment and PCP documents are in the same document? There is no legal obligation for relevant businesses to have two separate documents, as long as the content covered sufficiently for each requirement of the Regulations.
If the relevant person/business has failed to appropriately identify risks associated with customers, have they breached 18(2)(b)(i)? Possible breaches under Regulation 18 will occur under either 18(1) or 18(4). (This content has been withheld because of exemptions in the Freedom of Information Act 2000)
What terminology should I use when completing a table of failure? Use terms used in the regs e.g. failed to keep a "record in writing" rather than a written record.
When can we allow a business to depart from the need to keep an up-to-date written record of its risk assessment, and the steps taken to create it? Please see ECSH81100.