ECSH63385 - Regulation 18A - Risk assessment by relevant persons in relation to proliferation financing

The Law

Regulation 18A


What it means

A relevant person/business must identify and assess the risk of Proliferation Financing (PF) to its business.

In addition to its risk assessment (RA) of money laundering and terrorist financing under regulation 18 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), a business must also take appropriate steps to identify and assess the risk of proliferation financing in relation to its activities.

Proliferation Financing means the financing of chemical, biological, radiological and nuclear (CBRN) weapons.

The Financial Action Task Force (FATF) states that PF activity includes ‘the act of providing funds or financial services which are used, in whole or in part, for the manufacture, acquisition, possession, development, export, trans-shipment, brokering, transport, transfer, stockpiling or use of nuclear, chemical or biological weapons and their means of delivery and related materials (including both technologies and dual-use goods used for non-legitimate purposes), in contravention of national laws or, where applicable, international obligations’. See the Further Reading section for a link to the report ‘Combating Proliferation Financing’.

Dual-use items are goods, software, technology, documents and diagrams which can be used for both civil and military applications. They can range from raw materials to components and complete systems, such as aluminium alloys, bearings, or lasers. They could also be items used in the production or development of military goods, such as machine tools, chemical manufacturing equipment and computers.

The RA must consider risks published by HM Treasury in its National Risk Assessment (NRA) of Proliferation Financing (Regulation 16A) - please read the PF NRA - see link in the Further Reading section below.

The NRA shows examples of PF risk, for example selling oil and other petrochemicals to foreign states, particularly China and Syria, creates significant proliferation financing income for the Iranian regime, despite US sanctions targeting these transactions.

There is no requirement for HMRC (as a supervisory authority) to carry out a PF risk assessment for the sectors we supervise.

Purpose

A business needs to consider the risks it faces with regards to PF, how severe those risks are and the likelihood of it occurring in its business; without this, it wouldn't be possible to prevent the business being exposed to PF.

 

Time Line

This is a requirement which was included in the Regulations from 1 September 2022. Communications were issued to all registered businesses on 31 August 2022 instructing them to review their RA/PCP - see "external communications to customers" in the Further Reading section below.


What to establish

  • Regulation 18A(1) – Has the business taken appropriate steps to identify and assess the risks of PF - This is a fundamental requirement which is in two parts – firstly to identify a risk and then assess the likelihood and impact of the risk. “Appropriate steps” include whether it has followed published guidance. Sector guidance on GOV.UK shows the date the guidance was updated to include PF. It’s important that you only refer to guidance available during the period being reviewed. Bringing in a third party to assist with assessing risk (for example an external compliance consultant) may be construed by a tribunal as taking “reasonable steps”. You therefore need to fully explain why the business has failed in its responsibilities.
  • Regulation 18A(2)(a) - You must review the business’ risk assessment alongside the PF NRA. What action did it take when it received the communication from HMRC? Consider the risks applicable to the business sector and then ask the business how it has taken these into account when assessing the risk.
  • Regulation 18A(2)(b) - Similar to Regulation 18, the RA must assess the PF risk relating to all of the following 5 areas:
    (i) its customers; and whether there is any connection to CBRN weapons
    (ii) the countries or geographic areas in which it operates; particularly Democratic People’s Republic of Korea (DPRK) and Iran
    (iii) its products or services; for example, if export of dual-use goods are involved
    (iv) its transactions; particularly where a transaction is unusual or has no apparent economic or legal purpose
    (v) its delivery channels; for example the use of unconnected third parties with the ability to hide the true beneficiaries
  • Regulation 18A(3) - Are the steps taken appropriate in relation to the size and nature of the business activities?
  • Regulation 18A(4) - Is there a written record of the steps taken when assessing the risk of PF? - Fundamental Requirement. If the business can discuss the risks and how these have been assessed (high, medium or low, etc.) but this has not been written down, it would be a breach of 18A(4).
  • Regulation 18A(5) - Can the business provide the information on which its risk assessment was based?

 

How to test compliance & Evidence to obtain

  • Prior to your first meeting, where possible and applicable, obtain a copy of the latest Risk Assessment document/s to ensure it includes the risk of PF. Businesses supervised by HMRC may not be exposed to a high risk of PF, but the business must still assess the risk, even if it is deemed to be very low.
  • The risk assessment and policy documents may not be separate documents. You may need to see previous versions of the RA document/s to cover the relevant period being reviewed.
  • Question the business about its perceived level of risk and how it has arrived at this assessment; challenge their response as necessary, keeping a clear record of this exchange in notebook and notes of meeting.
  • Question the business to find out how and with whom they operate. Gaining a strong understanding of the business' operating model enables you to identify specific risks to the business and therefore evaluate the business's risk assessment.

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)



Further Reading 

National risk assessment of proliferation financing - GOV.UK (www.gov.uk)

Consolidated list of strategic military and dual-use items that require export authorisation- GOV.UK (www.gov.uk)

Risk assess your business for money laundering supervision - GOV.UK (www.gov.uk)

Office of Financial Sanctions Implementation - GOV.UK (www.gov.uk)

FATF Webinar on Proliferation Financing Risk Assessment and Mitigation(fatf-gafi.org)

FATF status report on proliferation financing


FAQs

There have been no specific FAQs in relation to PF - please read FAQs raised under regulation 18 in ECSH63380.