Skip to main content
HMRC internal manual

Anti-money laundering guidance for supervised businesses

AMLG1900 - Guidance for all sectors: Policies, Controls and Procedures (PCPs)

9. Policies, controls and procedures (PCPs)

Once you’ve identified and assessed the risks of money laundering, terrorist financing and proliferation financing associated with your business in your risk assessment, you must ensure that you put in place and maintain appropriate PCPs to effectively reduce and manage those risks.

Important note:

You must ensure that there is effective compliance with the PCPs by all persons carrying on the business activity from the senior managers to the front line staff, agents and the agents’ BOOMs. This obligation is central to ensuring that PCPs are not only documented but actively implemented and enforced across the business to effectively mitigate and manage the risks. 



9.1 Specific Requirements for PCPs

Your PCPs must be:

Proportionate with regard to the size and nature of the business

When determining which PCPs are suitable and proportionate to the size and nature of your business, you must consider:

  • The findings in your risk assessment;
  • This guidance and any other guidance issued by HMRC; and
  • Any other relevant guidance issued by any other supervisory authority or appropriate body and approved by HM Treasury.

Based on these considerations, you should adopt a risk-based approach to mitigate the identified risks.

You must consider situations that can present a higher risk of money laundering, terrorist financing or proliferation financing and take enhanced measures to address them. Conversely, for lower-risk situations, it may be appropriate to apply simplified or less intensive measures, provided this is proportionate to your risk assessments.

There are also specific additional requirements regarding PCPs that apply to larger more complex businesses. See section 9.2 for information regarding larger, more complex businesses.

 

Recorded in writing

You must maintain a clear written record of the business’ PCPs. Written records must be updated with any review and/or changes made.  Records of any changes should be kept for five years.

 

Approved by senior management

You must have your PCPs approved by senior management, both when they are implemented and when any reviews and/or changes are made. The names of the senior managers approving the PCPs should be recorded, along with the date they were approved. See AMLG1700 for further information on senior managers and their responsibilities.

 

Communicated throughout your organisation

The business’s PCPs must be communicated to all staff, branches, subsidiaries and agents of your business, both in and outside the UK, and all steps taken to communicate the PCPs must be recorded in writing. See the table below for further guidance on communicating your PCPs throughout your organisation.

Regularly reviewed and updated

The effectiveness of the PCPs should be monitored and improvements made where required to address any deficiencies identified and to reflect any changes in the risks faced by the business. See the table below for further guidance on reviewing and updating your PCPs.

Provided to HMRC when requested

You must provide your written PCPs to HMRC when requested. HMRC will ask for a declaration that you have written PCPs when you apply to register and will refuse your application if you do not have written PCPs in place which satisfy HMRC that the risks have properly been addressed. HMRC may carry out spot-checks on some businesses and may also request your risk assessment at any time to check your compliance with the Regulations.

 

Your PCPS must set out:

How and when to apply customer due diligence (CDD). See AMLG11300 for further information on CDD.

 

 

CDD is the process of identifying and verifying your customers’ identity and obtaining information to understand the nature of the transaction or business relationship. This is necessary to assess the risk of money laundering, terrorist financing and proliferation financing they present. CDD is sometimes referred to as “know your customer” (KYC).  

There are different levels of CDD depending on the level of risk:

  • Simplified Due Diligence (SDD): For customers or transactions that are low risk.
  • Standard CDD
  • Enhanced Due Diligence (EDD): For high-risk customers or situations.

Your PCPs must clearly explain:

  • Which customers and transactions that you consider to be lower risk and why they qualify for SDD, if applicable, and which are considered high risk and require EDD.
  • When and how CDD checks are done – including identifying and verifying customers and beneficial owners, and what information is collected for SDD, CDD, and EDD.
  • Ongoing monitoring procedures
  • Who carries out CDD in your business – and if you wish to rely on a third party to do so, procedures that ensure your reliance on the third party is in accordance with the Regulations. Important note – even if you rely on a third party to apply CDD you remain liable for any failure to apply such measures.

How to identify politically exposed persons (PEPs) and manage the associated risks. See AMLG11650 for further information on PEPs.

 

PEPs are persons that are entrusted with prominent public functions and may present a higher risk of money laundering, terrorist financing and proliferation financing.

Your PCPs must have procedures for identifying when a customer or beneficial owner is a domestic/non-domestic PEP, or a family member or close associate of a PEP and set out how to manage the greater risks that arise with such customers. Measures must include:

Applying appropriate levels of EDD. Whilst EDD must be applied in any case where a customer or potential customer is a PEP, or a family member or known close associate of a PEP, the level of risk and the extent of EDD measures to be applied will vary depending on whether the PEP is a domestic or non-domestic PEP (see AMLG11650 for further guidance)

Identifying their source of wealth and source of funds (where you have or propose to have a business relationship with that customer).

Obtaining approval from senior management for establishing or continuing the business relationship with that customer.

Conducting enhanced ongoing monitoring of any such business relationship.

The procedure for reporting suspicious activity including details of the appointed nominated officer. See AMLG11000 for further information on nominated officers.  

See AMLG11100 for further information on suspicious activity reports (SARs).

 

If any person within the business knows, suspects, or has reasonable grounds to know or suspect that another person is involved in money laundering or terrorist financing, they must disclose it to the nominated officer.

The nominated officer must:

  • Review the report.
  • Decide if it meets the threshold for suspicion or knowledge.
  • If it does, submit a SAR to the NCA as soon as practicable

The business must have clear PCPs in place setting out both the internal reporting process and the process for onward disclosure to the NCA.

Staff training procedures.

You must ensure relevant employees, and any agents used by your business:

  • Are made aware of the law relating to money laundering, terrorist financing and proliferation financing
  • Are regularly trained to recognise the risks of money laundering, terrorist financing and proliferation financing.
  • Understand what they should do to manage the money laundering, terrorist financing and proliferation financing risks as set out in the PCPs. This must include the requirement to disclose suspicious activity to the nominated officer, and when and how this should be done.

Record keeping policies for further information on record keeping.

 

You must have PCPs in place to ensure you maintain records that satisfy your record keeping obligations under the Regulations, which should also include the manner in which the records will be kept to ensure they are easily identifiable and accessible.

How you should ensure the business is able to respond to enquiries.

 

You must have PCPs in place to respond quickly and fully to enquiries from HMRC officers, police, and other authorities named in the Regulations as to whether your business has had a business relationship with a person in the past five years, and to explain the nature of that relationship.

Your PCPs should clearly set out how you will gather and provide this information when asked.

How you should review and update the PCPs.

 

Your PCPs must set out how you will review and update them.

HMRC has the following expectations:

  • Regular assessments of your systems and internal controls to make sure they are working and they are effectively managing the risks. Where the controls you have in place identify any weakness, you should document this and record the action taken to address the weakness.
  • Whenever the business’s risk assessment is updated, then a review of the business’s PCPs should be conducted to ensure that measures are in place to effectively mitigate and manage any newly identified risk.
  • Your PCPs are reviewed at least annually, even if no changes seem necessary. You should record the review date and note any changes. If no changes are made, you should still keep a record of the review.
  • Copies of all previous versions of your PCPs should be kept for a minimum of 5 years.

How you should communicate your PCPs.

You must establish and maintain procedures for the communication of the PCPs within the business and record the steps taken to communicate those PCPs. These procedures should include:

  • Communication of the PCPs when appointing new staff or agents or opening a new branch. (See sections 9.2 & AMLG11200 for further guidance on managing group subsidiaries and branches).
  • Ongoing communication of the PCPs to all staff and agents when there are updates or changes and at least annually where there are no changes.

How you should monitor and manage internal compliance with your PCPs.

 

You must have processes in place to monitor and manage internal compliance with your PCPs, to ensure that staff and agents are complying with the PCPs. It is recommended that you have a quality assurance mechanism to ensure staff and agent compliance, such as an internal or external audits which should include testing a sample of transactions to ensure staff are complying with PCPs.

If appropriate given the size and nature of your business, the PCPs must include having an independent audit of your PCPs and appointing a compliance officer (See section 9.2 below).

How you should ensure appropriate measures are taken to assess and mitigate risks that arise when new products, business practices or technology are adopted.

 

When the business adopts new products, business practices or technology, appropriate measures must be taken to assess and, if necessary, mitigate any risks that may arise as a result of the new products, business practices or technology that are adopted. See AMLG1800 for examples. This must be done in preparation for, and during the adoption of, the change and the measures must be immediately incorporated into the business’s PCPs and communicated with staff and agents.

How you should identify and monitor other high-risk transactions.

 

You must have PCPs in place to identify and monitor:

  • Transactions which are unusually complex or unusually large relative to what is typical for the sector or the nature of the transaction.
  • Unusual patterns of transactions.
  • Transactions without any apparent economic or legal purpose.
  • Any other activity or situation which you regard as particularly likely by its nature to be related to money laundering financing, terrorist financing or proliferation financing.

When designing systems to identify and deal with suspicious activity, there are some warning signs of potentially suspicious activity that your systems should be capable of picking up and flagging for attention. You will always need to consider the circumstances of each case, which you will need to assess on an individual basis. See AMLG11100 for further information on SARs and Part 3 for warning signs, red flags and indicators of suspicion.

Specific additional measures you should take for transactions which might favour anonymity.

 

You must have PCPs that specify additional measures, where appropriate, to prevent the use for money laundering, terrorist financing and proliferation financing of transactions which might favour anonymity. For example, customers that are not seen face-to-face or that use anonymous funding sources.

Risks associated with money service businesses that use agents. See AMLG1600 for further information on the fit and proper test.

 

 

If you are a money service business that uses agents, your PCPs must include appropriate measures to assess:

  • Whether each agent, and their BOOMs, would satisfy the fit and proper test.
  • The extent of the risk that the agent may be used for money laundering, terrorist financing and proliferation financing.

See Part 2 - MSB sector specific guidance, for further information.

 

9.2 Additional requirements for larger, more complex businesses

Important note: 

The below requirements do not apply to you if you are an individual who does not employ or act in association with anyone else.



Where it is appropriate, having regard to the size and nature of your business, there are some additional PCP requirements set out in the Regulations that must be applied.

These additional PCPs must include:  

  • The appointment of a compliance officer from the board of directors (or equivalent body) or senior management who has responsibility for monitoring the effectiveness of and compliance with the PCPs, including regular reviews to learn from experience. See AMLG11000 for further guidance on appointing a compliance officer.
  • Individual staff responsibilities under the Regulations where this is not confined to the nominated officer. See AMLG11000 for further guidance on appointing a nominated officer.
  • How the business will assess the conduct and integrity of relevant employees and their skills, knowledge and expertise to carry out their functions effectively both before they are appointed and during the course of their appointment. As a minimum, HMRC expects these PCPs to include the following:
    • Home Office checks to ensure that any relevant employees who are non-UK citizens have the right to work in the UK.
    • Conducting basic DBS checks prior to appointment to establish whether relevant employees have any unspent convictions for relevant offences in the UK.
    • Checking for unspent convictions for relevant offences overseas. For further guidance, see AMLG1600.
    • A requirement for relevant employees to notify you immediately if they are convicted of a relevant offence.
    • Ensuring that employees carrying out relevant activity have the skills and training to ensure compliance with the relevant requirements.
  • HMRC also expects the PCPs to include the action which you will take on any adverse outcomes to these checks.
  • The process for independently auditing the business’s PCPs to check whether they are adequate and effective and whether they are being complied with throughout the business.

In deciding what is appropriate to include in your PCPs with regard to the size and nature of your business you must take into account the findings in your risk assessment and should also adhere to this guidance and any guidance issued by another appropriate body and approved by HM Treasury.

Important note:

 
The responsibility for compliance with the Regulations rests with your business: relying on an independent audit does not absolve the business of that responsibility.

HMRC expects you to implement the additional PCPs above if any of the following apply to your business:

  • It has more than one premises.
  • It uses branches or agents.
  • It has a high turnover of customers.
  • It carries out non-domestic or cross border trading
  • It has complex ways to deliver services.

Even if none of the above apply to your business, you may still decide it is appropriate for your business to implement the additional PCPs having considered the following factors which HMRC also expects you to take into account when making that assessment:

  • The nature, scale and complexity of your business.
  • The diversity of its operations, including geographical diversity.
  • The volume and size of its transactions; and
  • The degree of risk associated with each area of its operation.