ECSH33400 - Checking internal controls and compliance monitoring

During a compliance intervention, you should ensure that the business has internal controls in place to monitor and manage its compliance with The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations (MLR 2017).   

The requirements for internal controls are set out in regulation 21 MLR 2017. ive examples: 

  • Ensure customer identification and acceptance procedures reflect the risk characteristics of customers.
  • To identify when a customer or beneficial owner is a politically exposed person (PEP) and ensure additional controls are in place for approving transactions with them. 
  • Systems are capable of picking up and flagging warning signs of potentially suspicious activity. 
  • Systems can identify when transactions are with or through high-risk third countries and the business is taking additional measures to manage and lessen the risk.

You need to check the business is carrying out regular assessments of its internal controls and systems to make sure they are working. You should consider: 

  • Who is responsible for checking that the internal controls are working? 
  • Does the business have an internal audit department? 
  • If so, how often are checks carried out? 
  • Does the business have any reports? (You may want to ask to see the latest report). 
  • Has the business had any external audits done?  If so, you may want to ask about their findings and any actions the business has taken following this. 

You should also consider who is appointed as the nominated officer and compliance officer where necessary to ensure they can carry out their role/s effectively. 

What the business does to monitor compliance and check that internal controls are working should be explained in the business’s policies, controls and procedures.   

You should check the business is doing what is described in writing and that it is appropriate to the size and nature of the business. For example, the expectation for a very small business is different than a large business with multiple branches. For more guidance on what is appropriate, see the technical guidance in the link above. 

It’s important to consider whether the business meets the requirement to establish and maintain systems to respond “fully and rapidly” to enquiries from law enforcement authorities, as to whether it has had a business relationship with any person, and the nature of that relationship, within the last 5 years. 

Businesses with agents and/or branches 

If the business has agents included within its registration, you should consider how risk and compliance are managed in respect of fit and proper criteria, customer due diligence, transaction monitoring and reporting suspicious transactions. 

If the business has branches or agents, you should establish whether site visits are carried out to branches or agents to check compliance. If so, you should check the compliance audit indicates the branch visited, files reviewed, staff spoken to and whether the check was satisfactory or what remedial actions were taken. If not, you should consider how the business monitors agent/branch activity and consider whether any additional premises should be visited.