ECSH33400 - Checking internal controls and compliance monitoring

During a compliance intervention, you should ensure that the business has internal controls in place to monitor and manage its compliance with The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations (MLR 2017).   

The requirements for internal controls are set out in regulation 21 MLR 2017. 

You need to check the business is carrying out regular assessments of its systems and controls to make sure they are working. For example:

  • Ensure customer identification and acceptance procedures reflect the risk characteristics of customers.
  • Built-in controls (such as financial thresholds) are working and cannot be overridden without appropriate safeguards.
  • To ensure additional controls are in place for approving transactions when a customer or beneficial owner is a politically exposed person (PEP). 
  • Systems are capable of picking up and flagging warning signs of potentially suspicious activity. 
  • Systems can identify when transactions are with or through high-risk third countries and the business is taking additional measures to manage and lessen the risk.

 You should consider: 

  • Who is responsible for checking that systems and controls are working as intended? 
  • Does the business have an internal audit department? If so, how often are checks carried out? 
  • Does the business have any reports? (You may want to ask to see the latest report). 
  • Has the business had any external audits done?  If so, you may want to ask about their findings and any actions the business has taken following this. 
  • Have the systems been updated since being introduced?

What the business does to monitor compliance and check that internal controls are working should be explained in the business’s policies, controls and procedures.   

You should check the business is doing what is described in writing and that it is appropriate to the size and nature of the business. For example, the expectation for a very small business is different than a large business with multiple branches. To determine what is appropriate, you will need to take into account its risk assessment and published guidance.

It’s important to consider whether the business meets the requirement to establish and maintain systems to respond “fully and rapidly” to enquiries from law enforcement authorities, as to whether it has had a business relationship with any person, and the nature of that relationship, within the last 5 years. If a business is unable to provide information regarding customers selected for testing, you should carefully consider whether this requirement has been met.

You should also consider who is appointed as the nominated officer and compliance officer where necessary to ensure they can carry out their role/s effectively. If there have been any changes to these individuals, you must ensure that the business has notified us within 14 days of their appointment. You can confirm this from the information held in ETMP. If not, consider imposing a penalty for failure to notify a material change.  


Screening of relevant employees

Relevant employees who are involved in the business's compliance with MLR 2017, including identification or mitigation of the risks of money laundering, terrorist financing and proliferation financing (ML/TF/PF) or prevention or detection of ML/TF/PF, must be screened before carrying out their role and during the course of their appointment. This should assess their skills, knowledge and expertise to carry out their functions effectively, and their conduct and integrity.

You should establish how relevant employees are screened and confirm when the checks were last completed.

You should ensure that the business understands that if a beneficial owner, officer or manager (BOOM), which includes a nominated officer, is convicted of a relevant offence, it must tell us within 30 days of them finding out. The BOOM themselves must also inform us within 30 days of the conviction – Regulation 26(10) refers. If a business fails to tell us of a relevant conviction, it should be subject to a failure to notify penalty (see link above).

 

Electronic money issuers or a payment service providers

Payment service providers (such as money transmitters) must appoint an individual to monitor and manage compliance with, and the internal communication of, the policies, controls and procedures, as set out in Regulation 21(7).

You must speak to this individual to discuss their role and responsibilities and how they ensure that they identify any situations carrying a higher risk of ML/TF/PF. You should ask to see information provided to senior management about the operation and effectiveness of its policies, controls and procedures. If this isn’t being done at least annually, the business has failed this requirement.

Businesses with agents and/or branches 

If the business has agents included within its registration, you should consider how risk and compliance are managed in respect of fit and proper criteria, customer due diligence, transaction monitoring and reporting suspicious transactions. 

If the business has branches or agents, you should establish whether site visits are carried out to branches or agents to check compliance. If so, you should check the compliance audit indicates the branch visited, files reviewed, staff spoken to and whether the check was satisfactory or what remedial actions were taken. If not, you should consider how the business monitors agent/branch activity and consider whether any additional premises should be visited.