Economic Crime Supervision Handbook

ECSH85625 - How to carry out a Regulation 83 review

Regulation 83 of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) sets out that when determining the type of sanction or value of a penalty we must take into account all relevant circumstances. Therefore, it is not sufficient to only establish that a breach has occurred, you must ask sufficient questions and gather sufficient evidence to establish the impact of the breach and how it occurred. Further guidance on financial penalties is available in ECSH82500.

Some of the factors detailed below will have been considered when applying the penalty framework. However, decision makers should satisfy themselves that all relevant facts are considered in relation to each factor.

 

Criminal Conviction Check

Regulation 83 requires that we check whether a business or individual has any criminal convictions which may be relevant to any of the other considerations which it prescribes. These checks are to be conducted within three months of the date any sanction is to be imposed. 

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)

 

Gravity and duration

Quantifying gravity relates to the seriousness of the breach and will involve consideration of a range of factors. A breach or series of related breaches could have a wide impact within a business, but ultimately not lead to a significantly heightened risk of that business being utilised for money laundering, terrorist financing or proliferation financing (MLTFPF). Equally, the inverse may be true, where one isolated incident leads to a single but significant breach, greatly heightening the risk of, or resulting in, the business being utilised for MLTFPF. You should investigate and consider the depth and breadth of consequences arising from a breach, with particular emphasis on their impact on the business’ risk of being utilised for MLTFPF. For certain breaches, such as those affecting specific transaction types or customer groups you may be able illustrate this in terms of funds at risk.

Duration relates to the time over which the breach or breaches occurred, for example, calculating how long a business or individual has been carrying out relevant activity without meeting their obligations under MLR 2017.

Gravity and duration should be considered in tandem to ensure the overall severity of a breach is addressed accordingly.

The degree of responsibility

There are several factors to established and examined when considering degrees of responsibility. Firstly, it is important to establish whether a breach was avoidable and if so, why was it not avoided. What actions should have been taken which would have identified or potentially prevented the breach? When was a breach ultimately identified and acted upon? For example, what controls does the business have in place to identify an employee who is deliberately circumventing controls? The breach may not necessarily have been avoidable, but the business should have controls in place to ensure such instances were identified quickly and remedial action taken.

Once the context of the breach has been established, you must determine who was responsible for it, if they knew about it and what steps, if any, they took to correct the breaches. For example, establish if they notified senior managers of the risk, contacted HMRC or sought legal advice.

If your case involves a sole proprietor with no staff, the sole proprietor will be responsible. In a larger business, you need to establish the company structure and who is ultimately responsible. Remember, a Nominated Officer’s legal role is to handle suspicious activity reports; they may not be responsible for monitoring and managing risk or for establishing and maintaining policies, controls and procedures (PCPs).

There may be a Compliance Officer or Compliance Team who carry out reviews of the effectiveness of the PCPs and report regularly to the board of directors. You may need to speak to the person who carried out the latest review and obtain a copy of the report. If there has been no such review, you will need to establish the reasons why.

If the person responsible for the breach has read relevant guidance, you need to consider why it hasn’t been followed. Was the requirement ignored or misunderstood? Responses to these questions may also impact behavioural reductions Further guidance on establishing behaviours is available in ECSH85705.

Regulation 21 MLR 2017 sets out that where appropriate to the size and nature of its business, a member of the board of directors or senior management should be appointed as the responsible officer for the relevant person's compliance with MLR 2017. If an independent audit has been carried out, establish who was responsible for ensuring any recommendations were implemented. You will need to speak to the responsible officer to discuss how the breaches occurred.

Regulation 19 MLR 2017 also states that a relevant person must record steps taken to communicate their Policies, Controls and Procedures and any changes to them, for example following a change in legislation. Ask the business, who was ultimately responsible for making those changes. You should speak to this individual to understand whether this was done, and if not, why.

These considerations will lead you to understand whether it was the business as a whole at fault, or a particular individual. Should it appear that breaches arose as a result of the actions of an individual, where appropriate, you may wish to consider that individual can be considered to be a fit and proper person. Further guidance on the fit and proper test is available in ECSH45810.  If there is evidence that an officer of the company was knowingly concerned in the contravention of a relevant requirement on them, then you may wish to consider a prohibition on management or officer liability penalty. Further guidance on prohibition of management is available in ECSH83000. Further guidance on issuing penalties to officers of businesses is available at ECSH82810.  

 

Financial strength

HMRC systems and annual accounts will provide details regarding the financial strength of the business and any individuals involved. Applying the penalty framework on gross profit, with its considerations to direct costs and other administrative expenses, should ensure a penalty remains commensurate to the financial strength of the business. Also, if the business is part of a group, you may wish to consider the financial position of the wider group. There will likely be overlap between this consideration and those factors considered as part of your appropriateness review.  

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)

For further details on how HMRC calculates gross profit see ECSH82815. For further guidance on appropriateness reviews see ECSH85650.

 

The amount of profits gained or losses avoided

Profit and loss may be calculated differently across our supervised sectors. You must establish with the relevant person how profits are generated during the relevant period. For example, some sectors may profit solely from fees charged for each activity, while some have set commissions fees or profit from fluctuations in exchange rates. Further guidance on the sectors supervised by HMRC is available in ECSH50000. Losses avoided could include such elements as costs associated with compliance or fees which should have been paid.

 

Losses for third parties caused by the contravention or failure

You need to consider if the non-compliance has led to losses for others. For example, a compliant business may have lost out on sales to a competitor who was able to offer services at a lower price by avoiding costs associated with compliance.

 

The level of co-operation

You must consider how much the business or individual has assisted during our engagement with them. Further guidance on establishing behaviours is available in ECSH85705.

Previous contraventions or failures

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)



Where a previous sanction has been imposed, or a warning letter has been issued, it may affect the sanction being considered. For example, the caseworker may decide that the continuing non-compliance demonstrates deliberate or complicit behaviour.

For further details of systems HMRC use to consider previous contraventions or failures see ECSH32730.

 

Any potential systemic consequences of the contravention or failure

You must establish and consider the potential wider ramifications of the breach in the context of the systems within which the individual or business operates. Those systems could include the entity itself; its corporate group; associated entities such as agents or Intermediary Payment Service Providers in the case of money transmitters; whole sectors of industry; or even the economy itself. Depending on the nature and scope of the contravention or failure, the ripple effect from exposure to MLTFPF could have far-reaching consequences throughout various systems which the individual or business is party to.  

Not all of the above factors may be relevant in each case.