|
Category Heading
|
Description
|
|
The Law
|
Regulation 21 - Internal controls
|
|
What it means
|
A relevant person must put in place controls to effectively monitor
and manage its Anti-Money Laundering (AML) policies, controls and procedures
(PCPs).
|
|
Purpose
|
To confirm sufficient resources and appropriate persons are appointed
to ensure compliance with the MLRs and the effectiveness of PCPs in
preventing Money Laundering or Terrorist Financing (MLTF).
|
|
Time Line
|
Similar provisions were provided within regulation 20 MLR 2007, regulation 3 of MLR 2003 (Money Service Businesses (MSBs)/High Value Dealers
(HVDs)) and regulation 3 of MLR 2001 (MSBs only) to comply with the
requirements of MLR 1993.
|
|
What to establish
|
Regulation 21(1) states that the requirements shown below are
“appropriate with regard to the size and nature of its business”. This means
it may not be necessary to employ additional staff to carry out all of the
functions below, although the responsibilities remain.
Sub-section (10) sets out that in determining what is “appropriate” a
relevant person MUST take into account its Risk Assessment (RA) under
regulation 18(1); and MAY take into account any guidance issued by its
supervisor (e.g. sector guidance).
Regulation 21(3) states that an individual in the relevant person's firm must
be appointed as a nominated officer (NO).
This doesn’t apply where the “relevant person is an individual who neither
employs nor acts in association with any other person” (regulation 21(6)) – in other
words, if it is a “one-man band”, that person will be responsible for the
effectiveness of their AML procedures and for reporting suspicious activity
to the National Crime Agency (NCA).
If the relevant person is a partnership, or there’s more than one director, a
NO must be appointed
The NO must consider internal suspicious activity reports to determine
whether there are reasonable grounds to know or suspect that a customer is
engaged in MLTF (regulation 21(5)).
The NO must consider the report in the light of relevant information
available. Its important therefore that the NO has access to all customer and
financial information and is of sufficient seniority to make independent
decisions.
The NO must therefore be employed within the business and cannot be an
external appointment, such as an external accountant or compliance
professional.
Failing to disclose knowledge or suspicion of ML is an offence under Part 7
of Proceeds of Crime Act 2002.
Where there is a board of directors (or equivalent), one of the directors
must take responsibility for AML and update the rest of the board as
appropriate in accordance with regulation 21(1)(a). HMRC Compliance Officers should
always establish who the Senior Responsible Officer (SRO), or compliance
officer, is within the business to determine who is ultimately responsible.
The relevant person must advise HMRC of any appointment or changes to the NO
or SRO within 14 days (regulation 21 (4)) (opposed to the standard 30 days to notify
of a material change).
Depending on the size and nature of the business, there must also be an
independent audit function, i.e. separate to those carrying out the day to
day activities of the business.
The audit must review the effectiveness of the AML procedures and make sure
they are working to prevent MLTF. Where recommendations for improvement are
made, the audit function must make sure they are implemented.
A payment service provider (e.g. a money transmitter, bill payment service provider or telecom, digital, and IT payment service providers) subject
to the relevant requirements of the funds transfer regulations) MUST appoint
an individual to communicate, monitor and manage compliance with its PCPs in
order to:
(a) identify situations carrying a higher risk of MLTF; (b) keep a record of
its AML RA/PCPs; (c) ensure the PCPs are applied to all relevant functions
including any changes to business activities, new products or new customers;
and (d) provide information to senior management about the operation and
effectiveness of its PCPs at least annually and at other times as appropriate
– regulation 21(7).
Where staff are employed to carry out any of the above functions, they MUST
be “screened”. This is similar to the fit and proper test under regulation
58, to ensure the conduct and integrity of the individual(s) and that they
have appropriate skills, knowledge and expertise to carry out their function
effectively.
“Relevant employees” are defined at regulation 21(2)(b) and include staff whose work
is relevant to compliance with the regulations, contributes to identifying or
mitigating risks of MLTF, or the prevention or detection of MLTF.
It therefore encompasses all key roles (customer facing staff, NO, SRO,
compliance officer or team, auditor etc).
Screening is an ongoing requirement and checks must be repeated.
A relevant person must establish and maintain systems which enable it to
respond “fully and rapidly” to enquiries from law enforcement agencies (LEAs
defined at regulation 21(9)) regarding its customers during the previous
five years. This is linked to the requirements under regulation 40
(Record keeping).
|
|
How to test compliance and evidence to obtain
|
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)
|
|
Scenario
|
Whilst trying to book a visit, the receptionist tells you that the
individual left the business about 18 months ago, but she’ll put you through
to the person who took over their job. You recognise the business has failed
to inform HMRC of the appointment of a Nominated Officer within 14 days, which
is a breach of regulation 21(4)(c). You ask the business owner why HMRC was not
informed of the change and he tells you that unfortunately the previous NO
left unexpectedly and he wasn’t aware of what he had to do.
You advise him to login to the business’s Government Gateway account and
amend the application immediately.
|
|
Best Practice
|
At the start of any intervention etc, HMRC compliance officers should
be speaking with all the individuals above to establish their roles and
responsibilities to ensure they are dealing with the correct person. This
means you may be speaking to more than one officer within the business.
|
|
AMP
|
No additional Best Practice.
|
|
ASP
|
No additional Best Practice.
|
|
EAB
|
No additional Best Practice.
|
|
LAB
|
No additional Best Practice.
|
|
HVD
|
No additional Best Practice.
|
|
MSB
|
No additional Best Practice.
|
|
TCSP
|
No additional Best Practice.
|
|
Further Reading
|
Schedule 6 - Relevant Requirements
|
|
Proceeds of Crime Act 2002
(legislation.gov.uk)
|
|
ECS Penalties Guidance - HMRC – ECSH
80000
|
|
Business tax: Anti money laundering
supervision - detailed information
|
|
National risk assessment of money
laundering and terrorist financing 2020
|
|
Suspicious Activity Reports -
National Crime Agency
|
|
FAQs
|
Can the NO be based overseas?
Yes, as long as they are still employees within the business structure.
If a person is not an employee within the business, can they still be an
NO?
No, they must be an employee within the business, or the business
group/structure.
Can an employee provide the ‘independent audit function’?
Yes, as long as they are not “marking their own work”.
|