ECSH82791 - Sanctions for non-compliance: financial penalties: financial penalties framework: groups of related contraventions

Contraventions under MLR 2017 will in general fall into several groups of related contraventions.

Fundamental requirements

These are the fundamental requirements for having effective anti-money laundering controls in place

  • Regulation 18 (1) - failure to identify and assess the risks of money laundering, terrorist financing and proliferation financing a business is subject to and to take account of information provided and risk factors
  • Regulation 18(4) - failure to keep an up-to-date record in writing of the risk assessment
  • Regulation 18(6) - failure to provide the risk assessment when requested
  • Regulation 18A – failure to identify and assess the risks of proliferation financing to which its business is subject and take into account information provided and risk factors
  • Regulation 19 - failure to establish, maintain, review, update, keep a record in writing and communicate the policies, controls and procedures to mitigate and manage the risks identified in the risk assessment
  • Regulation 19A – failure to establish, maintain, review, update, keep a record in writing  and communicate the policies, controls and procedures to mitigate and effectively manage the risks of proliferation financing identified in the risk assessment undertaken in Regulation 18A(1)
  • Regulation 20 – failure to apply policies, controls and procedures to subsidiaries and branches in and outside the UK
  • Regulation 21(1) – failure to appoint a compliance officer, screen relevant employees and establish an independent audit function
  • Regulation 21(3) - failure to appoint a nominated officer,
  • Regulation 21(4) - failure to notify the identity of and changes to the compliance and nominated officer
  • Regulation 21(5) – failure to consider internal disclosures of suspicion
  • Regulation 21(7) - failure to appoint an individual to monitor and manage compliance with, and internal communication of, the policies, controls and procedures adopted under regulation 19.
  • Regulation 21(8) - failure to establish and maintain systems which enable it to respond fully to enquiries from law enforcement officers
  • Regulation 26(4) failure of a relevant person to take reasonable care that no-one is appointed, or acts in a capacity that requires approval, without being approved
  • Regulation 26(5) – failure of a sole practitioner requiring approval to be approved
  • Regulation 26(10) - failure of a relevant firm to inform HMRC of a conviction for a relevant offence within the specified time
  • Regulation 40 - failure to keep the required records and provide them when required
  • Regulation 41 - failure to provide customers with the required information in relation to data protection
  • Regulation 78(5) - failure of a relevant person to take reasonable care to ensure that a prohibited person does not act in a management role

Fundamental customer due diligence measures

  • Regulation 27 - failure to apply customer due diligence measures when required.
  • Regulation 28(2) - failure to identify and verify the customer and assess the purpose and intended nature of the business relationship or occasional transaction
  • Regulation 28(3) - failure to obtain, determine and verify details as specified where the customer is body corporate
  • Regulaiton 28(3A) - failure to take reasonable measures understand the ownership and control of  a customer who is a legal person, trust, company, foundation or similar legal arrangement.
  • Regulation 28(4) - failure to identify and take reasonable measures to verify the identity of the beneficial owner
  • Regulation 28((8) - failure to keep records of steps taken to identify the beneficial owner of a corporate body
  • Regulation 28(10) - failure to identify and verify a person acting on behalf of the customer and to verify their authority to act
  • Regulation 28(11) - failure to conduct ongoing monitoring of a business relationship
  • Regulation 28(12) - failure to take account of the risk assessment and level of risk when taking customer due diligence measures
  • Regulation 30 - failure to comply with the requirements on timing of verification
  • Regulation 30A – failure to report any discrepancies to the registrar of companies between information held on the beneficial ownership of a customer, as a result of customer due  diligence, and information on the register.
  • Regulation 33 - failure to apply enhanced due diligence and enhanced ongoing monitoring where required
  • Regulation 35(1) – failure to have appropriate risk management systems and procedures to determine whether a person is a politically exposed person (PEP) or a family member or known close associate of a PEP and to manage the enhanced risk of the business relationship or transactions
  • Regulation 35(5) – failure to take additional measures in relation to a PEP
  • Regulation 37 - failure to apply simplified due diligence appropriately taking account of the risk assessment, information provided to it and the risk factors
  • Regulation 39(2) - failure to use reliance appropriately and to obtain the customer due diligence information from the person relied on and to enter into arrangements as required

Other customer due diligence measures

  • Regulation 31 – failure to cease transactions where a relevant person is unable to apply customer due diligence measures

Other breaches

  • Regulation 24 – failure to take appropriate measures to ensure relevant employees are trained, made aware of the law relating to money laundering and terrorist financing, data protection requirements and to maintain a written record of the measures taken to train relevant employees
  • Regulation 66 - failure to provide information or produce documents specified in a notice, or attend for an interview
  • Regulation 69 - failure to allow entry, inspection of premises without warrant
  • Regulation 70 - failure to allow entry under warrant

Registration breaches

  • Regulation 56 (1) and (5) - failure of a relevant person to be included in the appropriate register
  • Regulation 57(1) - failure to provide the specified information at registration
  • Regulation 57(4) - failure to notify changes affecting registration or subsequent information within the specified time.
  • Regulation 57 - failure to comply with a requirement imposed by a registering authority