Home

HMRC internal manual

Economic Crime Supervision Handbook

From:: HM Revenue & Customs
Published: 26 May 2023
Updated:: 25 April 2024 - See all updates

Contents

ECSH63380 - Regulation 18 - Risk assessment by relevant persons

Category Heading	Description
The Law	https://www.legislation.gov.uk/uksi/2017/692/regulation/18
What it means	A relevant person/business must identify and assess the risk of Money Laundering and Terrorist Financing ('MLTF') to its business. Remember - 'must' denotes a legal obligation; undertaking a risk assessment (RA), which is specific to the business, is not optional and failure to do so is a breach of Regulation 18. The RA must be specific to the nature of the activities and the organisational structure (including branches and agent networks). The RA must consider risks published by HMRC in sector risk assessments and guidance on GOV.UK, along with the 5 factors shown in the “What to establish” section below.
Purpose	A relevant person/business needs to know the risks faced and how severe those risks are - without this, it wouldn't be possible to prevent the business being exposed to MLTF.
Time Line	The subject of risk assessment and management is referred to in Reg 20 MLR2007 (Policies and procedures)
What to establish	18(1) - Has the relevant person/business taken appropriate steps to identify and assess the risks of ML/TF - This is a fundamental requirement which is in two parts – firstly to identify a risk and then assess the likelihood and impact of the risk. “Appropriate steps” include whether it has followed published guidance and has considered whether the risks shown in our published sector risk assessment are present within the business. Information published on GOV.UK shows the date guidance came into force and any subsequent revisions made. It’s important that you only refer to guidance available during the trading period being reviewed. For example, if a risk was added to sector “Understanding risk and taking action” in October 2022, you cannot expect a business to have considered the risk in its own risk assessment until after that date. Bringing in a third party to assist with assessing risk (for example an external compliance consultant) may be construed by a Tribunal as taking “reasonable steps”. You therefore need to fully explain why the business has failed in its responsibilities. 18(2)(a) - You must review the business’s documents alongside the published guidance and external risk assessment. What is the business's awareness of HMRC's published guidance? Has it read the “Understanding risks and taking action” guidance alongside the National Risk Assessment? What information has it taken into account regarding high risk third countries (HRTC)? The table in the Schedule 3ZA tab shows when countries were added and/or removed as a HRTC- Note: Sch 3ZA tab is still there but list was omitted on 23 Jan 2024, now use the FATF list of High-risk and other monitored jurisdictions - using this hyperlink in your browser - https://www.fatf-gafi.org/en/topics/high-risk-and-other-monitored-jurisdictions.html. Is the business aware FATF publishes reports on countries in which the business, or its customers, may operate? Has it used any of these documents when compiling its RA? If not, why not? If a risk hasn’t been communicated in our published guidance or external risk assessment, it is difficult to allege that a business has failed to comply with this part. Therefore, if you identify a risk within a case which isn’t yet covered in guidance, please discuss with your sector SPOC or raise at a sector meeting. If a risk hasn’t been communicated in our published guidance or external risk assessment, it is difficult to allege that a business has failed to comply with this part. Therefore, if you identify a risk within a case which isn’t yet covered in guidance, please discuss with your sector SPOC or raise at a sector meeting. 18(2)(b) - Has the business properly considered the risk factors relating to: customers; countries or geographical areas in which it operates; its products or services; transactions; and delivery channels 18(3)- How big and complex is the business? Have risk factors been considered for all facets of the business? 18(4) - Is there a written record of the steps taken when assessing their business? - Fundamental Requirement 18(6) - Can they provide the information on which the risk assessment was based in writing upon request
How to test compliance and evidence to obtain	Prior to your first meeting, where possible and applicable, obtain a copy of the latest Risk Assessment and with version control/amendment history. Ensure a written record of the Risk Assessment process is available. The Risk Assessment and PCP documents may not be separate documents. Question the business about its perceived level of risk and challenge their response as necessary, keeping a clear record of this exchange in notebook and notes of meeting. Question the business to find out they operate. Find out the end-to-end process of a transaction. What risks have been identified and how have they been assessed.
Scenario	During a visit, an ASP says he doesn’t have a written risk assessment but he considers his 23 customers carry a low risk of ML/TF. You ask what information the ASP used when deciding all customers are low risk. The ASP replies that he read all of the relevant guidance and that because he only carries out bookkeeping for people in his village, there are no risk factors present. You warn the ASP that he must record these steps in writing and keep the document up to date. This is a breach of 18(4). However, whilst testing customer due diligence records, you discover a customer who pays higher fees than the others you looked at. You decide to ask the ASP if he carries out additional services for this customer and he explains that he also files quarterly VAT returns for 5 businesses. These were not considered in his (verbal) risk assessment. You ask him to tell you more about these 5 businesses. The ASP explains that a person he knows from his golf club asked him to set up 5 companies and submit the VAT returns and annual accounts. He said he hasn’t met any of the directors but he receives all of their paper receipts so he’s sure its OK. The risk of ML/TF has considerably increased from the initial risk assessment carried out by the ASP, which is a breach of 18(1).
Best Practice	Obtain a copy of the latest Risk Assessment at the start of the intervention and prior to visit/interview. Ask for a version/amendment history if appropriate. When reviewing the RA ahead of your meeting, capture 'comments' against the document (whether digital or hard-copy) to aid you in raising challenge during the meeting. During your meeting, ask the relevant person/business if the risks captured in the RA and discussed during the meeting are a complete record of the risks which have been identified and assessed - record this question and the response clearly in your notes of meeting. Consider the contents of this Regulation 18 walk through.
AMP	The business should take account of the following when assessing risk: Who is ultimately buying the artwork and where the AMP sits in each deal chain (e.g. is the AMP acting for the final customer or for another intermediary). Where the artwork is displayed/stored and if this is usual for the area/country. The type and value of artworks generally traded. The provenance of artwork/proof of ownership and method of payment, including transactions deliberately broken down to avoid the 10,000 euro threshold. How the artwork will be delivered to the ultimate beneficial owner.
ASP	The business should take account of the following when assessing risk: Client profile. Whether it has clients who are in an unusual location in relation to the ASP or operate outside the UK. If the services it offers (or combination of services) carry a higher risk than others. If clients pay in cash or are involved in a cash intensive business. If it meets its clients face to face or if verification is carried out by other means.
EAB	The business should take account of the following when assessing risk: Complex ownership structures with an opportunity to hide underlying beneficial owners. Operating in high risk countries or geographic areas of risk including overseas buyers/sellers. The types and values of properties sold (e.g. residential, commercial, super prime (>£5M) etc). How properties are financed. Buyers and sellers they do not meet face to face.
LAB	The business should take account of the following when assessing risk: The types of clients and reasons behind high value lettings. Clients operating in high risk countries or geographic areas of risk. The types and values of properties involved. How rentals are financed (e.g. the risk of disposal of criminal funds). Clients who they do not meet face to face.
HVD	The business should take account of the following when assessing risk: Different customers types and why they want to pay in cash. Customers travelling large distances to purchase goods and/or deliver cash, particularly for goods exported to countries with high levels of corruption or with restrictions on the use of cash (often undeclared at the point of exit/entry). Types of goods, especially those known to be attractive to criminals (e.g. precious metals and stones, luxury goods/cars, wholesale alcohol and other goods used in supply chain fraud). Transactions deliberately broken down to avoid the 10,000 euro threshold, either using multiple invoicing or when depositing cash into a bank. Goods diverted to a different end user and/or cash delivered by an unknown third party, including Informal Value Transfer Systems (IVTS) and using MSBs to deliver cash on behalf of overseas customers.
MSB	The business should take account of the following when assessing risk: Agent networks and the risks associated with lengthening transaction chains. Countries/geographic areas funds being transmitted to - if this includes High risk jurisdictions (as set out by the EC), has this been recognised and is Enhanced Due Diligence being applied to all transactions? Hawala banking systems - traditionally a ledger-based offsetting financial arrangement, meaning that funds do not physically move across borders/territories. How transfers of funds "settled" - does this involve third-party payments and/or informal value transfer? If yes, has this been recognised as high-risk methodology? When considering whether the thresholds set are appropriate, you should consider the "size and nature" of the business - for example average transaction size VS threshold amount. Specific products or services that are attractive to criminals (e.g. currency exchanges using high denomination notes, cheque cashing for scrap metal dealers or to evade tax etc). One to many or many to one transactions (linked transactions by a common sender/customer or beneficiary) including those deliberately broken down to avoid detection (smurfing); third-party settlements and the prevalence of cash. The use of agent networks or Intermediary Payment Service Providers, Hawala or Informal Value Transfer Systems (IVTS) to execute transactions. Please read and consider - Understanding risks and taking action for money service businesses Please read and consider HMRC's published guidance for MSB's Please read and consider EU policy on high-risk third countries Regulation 18 walk through
TCSP	The business should take account of the following when assessing risk: Who its clients are and why they are using its services, including those involving complex ownership structures that do not appear to make financial sense. Whether it has clients who are in an unusual location in relation to the TCSP or operate in known tax havens. If the services it offers (or combination of services) carry a higher risk than others (e.g. those which favour anonymity) Unusually complex transactions. If it meets its clients face to face or if verification is carried out by other means.
Further Reading	JMLSG guidance part 1, chapter 4 including annexes 4-I, 4-II and 4-III MLR3 c4000 gov.uk guidance Risk Assessments (This content has been withheld because of exemptions in the Freedom of Information Act 2000) Regulation 18 walk through Money Laundering and Terrorist Financing (High-Risk Countries) Regulations 2021 National Risk Assessment Dec 2020 National Risk Assessment Oct 2017 Corruption Perceptions Index Office of Financial Sanctions Implementation Policies, controls and procedures - Regulation 19 Customer due diligence measures - Regulation 28 Obligation to apply enhanced customer due diligence - Regulation 33 MLR Regulation 18(4): Policy note and guidance for AMLS staff
FAQs	What if the Risk Assessment and PCP documents are in the same document? There is no legal obligation for relevant businesses to have two separate documents, as long as the content covered sufficiently for each requirement of the Regulations. If the relevant person/business has failed to appropriately identify risks associated with customers, have they breached 18(2)(b)(i)? Possible breaches under Regulation 18 will occur under either 18(1) or 18(4), you cannot have a breach defined under regulation 18(2) or 18(3); any failings under these subsections are breaches under 18(1). Possible breaches under Regulation 18 will occur under either 18(1) or 18(4), you cannot have a breach defined under regulation 18(2) or 18(3)… any failings of what the business must do here are breaches under 18(1). What terminology should I use when completing a table of failure? Use terms used in the regulations e.g. failed to keep a "record in writing" rather than a written record. When can we allow a business to depart from the need to keep an up-to date written record of its risk assessment, and the steps taken to create it? Please read the full policy note on how to apply Regulation 18(4) and when we can allow a business to not keep its RA in writing. This can be found in the Knowledge Library and in the further reading above.

ECSH63381

Regulation 18 walk through