ECSH63390 - Regulation 19 - Policies, controls and procedures
| Category Heading |
Description |
|---|---|
| The Law |
Regulation 19 - Policies, controls and procedures |
| What it means |
The relevant person/business must use its Risk Assessment to set out their
procedures for effectively mitigating each risk identified. These must be written down, be regularly reviewed and updated, and communicated throughout the business The policy, controls and procedures (PCPs) must cover; risk assessment and management customer due diligence (CDD) measures record keeping internal controls monitoring and management of compliance the internal communication of these PCPs Remember - 'must' denotes a legal obligation; setting out policies, controls and procedures, which are specific to the business, is not optional and failure to comply with Regulation 19 is a breach. |
| Purpose |
A relevant person/business needs to know the risks faced and how severe
those risks are - without this, it wouldn't be possible to prevent the business
being exposed to Money Laundering and Terrorist Financing (MLTF). Once
identified, it must show how the relevant person/business effectively
mitigates and monitors these risks. |
| Time Line |
There was a requirement under Regulation 20 MLR 2007 to have risk-based policies
and procedures; and within Regulation 3 MLR 2003 to have AML procedures (known
as CATCH) but there was no previous requirement for these to be in writing. |
| What to
establish |
19(1)(a) - Does the relevant person/business have PCPs that effectively
mitigate and manage the risks of MLTF identified in its Risk Assessment? - Fundamental
Requirement 19(1)(b) - How often are reviews and updates carried out? Is there a record that shows that regular reviews and updates have been undertaken? Does the period between reviews seem reasonable? - Fundamental Requirement 19(1)(c) - Are the PCPs written down? Is there a record of review dates or document version control? Are there records to show that the PCPs have been communicated with the right people? - Fundamental Requirement 19(2) - How big and complex is the business? Do the PCPs reflect this? Have the PCPs been approved by Senior Management? 19(3) - Do the PCPs include the relevant person/business's; (a) risk management practices (b) internal controls (c) CDD procedures (d) reliance and record keeping procedures 19(3)(e) - Do the PCPs explain how the relevant person/business will monitor and manage its staff and/or agents' compliance with the PCPs? Are there internal audit reports? How have the PCPs been communicated with the relevant staff and/or agents? 19(4)(a) - What is a typical/common transaction for the relevant person/business? Do they treat certain transactions differently (e.g. an export or a transaction over a certain value)? Are there separate teams responsible for sales and compliance and how do they interact? 19(4)(b) - Are any customers anonymous (i.e. a complex ownership structure prevents identification of the BOOM)? Are any transactions non-face-to-face? What does the relevant person/business do to address the risks of products or transactions which favour anonymity? 19(4)(c) - Does the relevant person/business update its PCPs ahead of introducing new products, practices or technologies, to account for the associated risks? Is there a record of review dates or document version control to corroborate this? 19(4)(d) - How do staff and/or agents report suspicions that a person is engaged in ML or TF? Who do they report to and is a record kept? Are internal SARs raised and recorded? 19(5)(b) - Has the relevant person/business taken into account any guidance issued by the supervisory body? 19(6) - Are there any branches or subsidiaries to the relevant person/business based outside the UK? If so, is there a record to demonstrate they have been sent, and are aware of, the PCPs? (This content has been withheld because of exemptions in the Freedom of Information Act 2000) |
| Scenario |
(This content has been withheld because of exemptions in the Freedom of Information Act 2000) |
| Best Practice |
See sector specific information below: |
| AMP |
CDD procedures especially concerning politically exposed persons, their family
members and close associates. Enhanced CDD to be carried out. AMP's customer depends on their business model - Purchaser (including broker or agent acting on their behalf) - Seller where the AMP provides a service to, and receives financial value from, them Please see BAMF AML guidance |
| ASP |
We need to understand the business records and the "onboarding of clients"
procedures the business used to inform its Risk Assessment and then assess
the level of risk for each of its clients. See Para 4 of the CCAB Guidance for the Accountancy Sector |
| EAB |
19(4)(b) - Complex and opaque ownership structures that lend themselves to
anonymity. CDD checks must be carried out on both sellers and buyers as well as ongoing monitoring. Identify politically exposed persons as well as family members and close associates. Enhanced CDD to be carried out. Please see para 3 of EAB Guidance – Paras 5.15 et seq |
| LAB |
CDD checks must be carried out on both parties as well as ongoing monitoring. |
| HVD |
Understand the business records/information sources used to inform its Risk
Assessment. Ensure procedures record authority levels - who can authorise a large cash payment? Procedures must record when CDD is carried out (and not solely for commercial reasons) - is there a sterling limit? Ensure these are extended for all parties to the transaction, especially for export customers relying on other individuals/businesses in the UK to make a cash payment on their behalf. (This content has been withheld because of exemptions in the Freedom of Information Act 2000) Who reviews records to ensure that all relevant cash payments have been identified? Please see para 3 of HVD Guidance |
| MSB |
19(4)(e) - A money service business that uses agents must ensure that
appropriate measures are taken to enable them to assess (i) whether the
agents would satisfy the fit and proper test (Reg 58) and (ii) the risk that the
agent may be used for ML or TF It is important to remember that being sure an agent satisfies the fit and proper test (Reg 58), goes above and beyond verifying the individuals within the agent and any officer, manager and beneficial owner of the agent have no Schedule 3 convictions. The MSB principal must take into account all parts of the test including those listed in 58(4). HMRC also has published fit and proper guidance available on GOV.UK. Fit and proper technical guidance Is the agent on-boarding procedure clearly stated? When assessing the risk that an agent may be used for MLTF, does the Principal take into account if the agent is registered with multiple principals and/or has its own independent registration? Does the agent in fact have an agent network of its own? Has the agent's location, including its proximity to other MSB's, been taken into account? In a Principal-Agent relationship, the MSB Principal is responsible for ensuring all of its agents have, know, understand and follow the Principal's PCPs. (This content has been withheld because of exemptions in the Freedom of Information Act 2000) When considering whether the CDD thresholds set are appropriate, you should consider the "size and nature" of the business - i.e. does the average transaction value align with the threshold amount. Do the PCPs match the risk? (This content has been withheld because of exemptions in the Freedom of Information Act 2000) Do the PCPs cover all services being undertaken by the MSB? Does the MSB conduct relevant activity in its own right and/or through an agent network? Do the PCPs reflect both of these? Do the PCPs cover the MSB sub-sectors being provided (Money Transmission, Currency Exchange and Cheque Cashing)? Please see para 3 of MSB Guidance |
| TCSP |
19(4)(b) - Complex and opaque ownership structures that lend themselves to
anonymity Please see para 3 of the TCSP Guidance |
| Further Reading |
JMLSG guidance Part 1 Chapters 1 and 2 National Risk Assessment Dec 2020 National Risk Assessment Oct 2017 Part 3 Terrorism Act 2000 Part 7 of Proceeds of Crime Act 2002 |
| FAQs |
What if the Risk Assessment and PCP documents are in the same document? There is no legal obligation for relevant businesses to have two separate documents, as long as the content covered sufficiently for each requirement of the Regulations. What terminology should I use when completing a table of failure? Use the terms from the Regulations e.g.. failed to keep a "record in writing" rather than a written record. |