ECSH63381 - Regulation 18 walk through

The initial steps taken in most officer’s intervention is to request the risk assessment and PCP documents from the business. This is supported, as quality analysis of these documents will really help to inform your lines of questioning and areas of challenge when preparing for your interview or meeting with the business, BUT for this analysis to be of the quality required, you also need to gain a strong understanding of the business’s operating model, and the actual end-to-end process for carrying out transactions. Without this it is not realistically possible for you to identify all the specific risks to which the business is subject, and therefore not realistically possible to analyse the businesses risk assessment. In simple terms, if you don’t know and understand what the business does, and how it does it, you can’t know what risks it should be identifying and assessing in its risk assessment. Therefore, best practice would be to take steps to understand what the business does by asking for and end-to-end illustration at the same time you ask for the risk assessment and PCP documents. You may also, at the point of booking your interview/meeting, have some initial dialog with the business to understand its business model, what it does and establish this overview of the “end-to end” process, rather than just booking in the meeting itself. And needless to say this is only the initial steps and the analysis undertaken of the risk assessment and PCP sits hand in hand with the upcoming interview/meeting and armed with quality analysis of what risks the business is subjected to, what it has within its risk assessment document and what policies it has document you can use this knowledge during the discussion to challenge and interrogate the business appropriately during the interview/meeting. It is important we don’t get the risk assessments and PCP but then do very little or nothing with them OR fully analyse them but not deploy this knowledge during the course of the intervention to challenge, probe and interrogate appropriately. Regulation 18(1) states; A relevant person must take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject. Now there are 2 key parts to this, IDENTIFY, and ASSESS, defined below, so that with any breaches found we understand the actual “point of failure”. IDENTIFY: The business must take steps to understand and consider what risks it is exposed to. If the business is subject to a risk, for example it sends money to a high-risk jurisdiction, however there is no reference to this within the businesses risk assessment, then at this point it appears the business has failed to ever IDENTIFY the risk to which it is subject. ASSESS: If the business is subject to the risk of sending money to a high-risk jurisdiction, and the risk assessment does cover this risk, however, categorises this element as LOW risk, then it has identified the risk, but has failed to appropriately ASSESS that risk. Regulation 18(2) states; In carrying out the risk assessment required under paragraph (1), a relevant person must take into account – (a) information made available to them by the supervisory authority under regulations 17(9) and 17, and (b) risk factors including factors relating to -   (i) its customers;   (ii) the countries or geographic areas in which it operates;   (iii) its products or services;   (iv) its transactions; and   (v) its delivery channels This outlines the what business MUST take into account when undertaking its risk assessment. And any MUST within the regulations means this business has no option and cannot bypass or ignore these factors. Firstly 18(2)(a), good examples of the information which 18(2)(a) refers is the following; - National Risk Assessment (NRA) - Financial Action Task Force (FATF) - Gov.UK guidance (MSB Guidance, Fit and Proper guidance, Risk Assessment and MSB risk digest) - European Commission - HMT Sanctions List - FCA Guidance - Home Office published list of terrorist organisations - Alerts from the supervisory authority It is good practice to question the business here as to what information they have considered and get confirmation of their understanding of it. Secondly in 18(2)(b), it is important to understand what should be considered in the areas of risk and some examples are; Its customers - Consideration must be taken by the business to identify who its customers are, then IDENTIFY the risks posed by those customers, and ASSESS those risk appropriately. This includes private customers, corporate customers and possibly other MSB’s - The customer or customers that should be identified, will depend on the business model in operation, and when you are analysing this area of risk you should look at things like - What transactions are taking place, and therefore who is the business actually providing a service to? - Includes corporate customers and other MSB’s The countries or geographic areas in which it operates; - Consideration must be given here to where the service originates, goes through and ends. - When considering the “goes through” element you will need to understand the end-to-end process for the transactions, and this will also be encompassed in the businesses Delivery Channels Its products or services; - Consideration must be given here to what is the business actually offering to its customer? - It goes without saying different services carry different risks, whether it be Currency exchange, money transmission or cheque cashing the business must have IDENTIFIED and ASSESSED the specific risks to which it is subject, for any and all services it offers. - And consideration given to the different risks within those services offered… such as Money transmission with dealing in cash, non-local customers, large volumes to HRJ’s, multiple customers to one beneficiary etc. OR currency exchange with requests for high denomination notes, repeat customers undertaking large transactions etc. Its transactions; - Consideration must be given here not only to the transaction type but the variances in risk which can change depending on how the transaction is executed. - The same transaction type being completed face-to-face vs remote/electronic for example, exchanging currency for “holiday money” vs large amounts for highest denomination notes or cashing a regular customers weekly wage cheque vs a one-off large insurance pay out. Its delivery channels; - Consideration must be given here to the full end-to-end process in executing the service/transaction. It is important to “follow the cash”. - What “stages” or “steps” does it go through, how do we get from point A to point B. - As mentioned already, consideration also needs given here to geographic areas of operation and any geographic area or country where any service/transaction actually lands or exists - This would also include the use of agents Regulation 18(3) states; In deciding what steps are appropriate under paragraph (1), the relevant person must take into account the size and nature of its business. Now for 18(3), it is here to show that what is appropriate for one MSB might not be appropriate for another... an example of this could be threshold setting for certain CDD, and EDD including SOF There is a tendency across the sector to apply an “industry standard ”* when it comes to threshold setting which is not appropriate, the risk assessment needs to be tailored to the specific risks to which that business is subject. So, what we need to see is the business giving consideration to the size and nature of ITS business when establishing thresholds, considering things like average transaction amounts (single or cumulative) to provide a clear identification of any risk and how they have assessed the risk – not just picked a number based on “industry standard” or their competitors *Set by the MSB sector not by us or the regulations! Regulation 18(4) states; A relevant person must keep an up-to-date record in writing of all the steps it has taken under paragraph (1), Kind of self-explanatory for a change - The business MUST keep an up-to-date written risk assessment, detailing all the risks it has identified and assessed and the steps taken in the identifying and assessing process. So where do we get the breaches? Possible breaches under regulation 18 will occur under either 18(1) or 18(4), you cannot have a breach defined under regulation 18(2) or 18(3)… any failings of what the business MUST do here are breaches under 18(1). BUT to be able to understand where breaches have occurred you MUST have a strong grasp of the business’s operating model and end-to-end process for carrying out transactions otherwise, we won’t know what specific risks the business should be identifying and assessing. So, it is best practice to take steps to understand this to support your analysis. And as ever the actual outcome will be dependent on the outcome following the full intervention and these are just examples of possible breaches - Any risk the business is subject to which it does not have mentioned within its risk assessment document at all, is a breach under 18(1) as a failure to IDENTIFY (This includes the risk areas titled in 18(2)(b) that the business MUST take into account) N.B There is a caveat here though, in the circumstances were a business is exposed to a risk, and there is no mention anywhere in the risk assessment document, BUT there are Policies, Controls or Procedures in place which (whether written or otherwise) mitigate that risk, then it follows the business MUST have IDENTIFIED and ASSESSED that risk, and the breach is now under 18(4) as they have not kept an up to date record in writing. - Any risk the business is subject to and has identified, but has not appropriately assessed the level of risk, is a breach under 18(1) as a failure to appropriately ASSESS. (This will include when the business has not taken into account information made available under 18(2)(a) when assessing the risks, it is subjected to)… however the same caveat applies here IF there are controls in place actually in practice (written or otherwise) which show the risk has been assessed and assessed correctly and the breach would then also be under 18(4). - If they do not have a risk assessment document at all, this could be a breach under 18(1) if they simply have not completed any risk assessment for the business. Or 18(4) if there is evidence, they have identified and assessed risks, either through the PCP document, or how the business operates in practice, and they have not kept a written record of it. In general, in identifying and understanding any possible breaches and how they should be categorised either under 18(1) and or 18(4) we should be asking the business to explain and demonstrate how it meets the requirements of regulation 18, in full… you can then challenge as required and get the quality detailed evidence needed for any possible sanction. Examples based on operational observation Transmitting funds via third-party invoicing, who is the customer? - Under regulation 18(2)(b)(i) it identifies “CUSTOMERS” as a risk factor that MUST be taken into account, and in this more complex business model it is vital we understand who meets the definition of “CUSTOMER”, to the UK MSB we are supervising. - In this situation, the UK MSB should be identifying both the direct customer seeking to send funds as its customer, but also any overseas MSB/MSP it is engaging with, and this is clearly outlined in HMRC’s Gov.UK MSB guidance and MSB Risk Digest. - A capability and learning product is being finalised around third-party invoicing business models which will be available soon. Threshold setting for CDD, EDD, Source of Funds etc. - Regulation 18(3) states a business MUST take into account the size and nature of its business, but there are occasions where businesses have thresholds set to implement EDD measures, including SOF, at what appears to be “industry standard levels”. - On this front, if a business’s average transaction is £500, is it appropriate to have EDD measures required at £2000, 4 times the average? Is that in line with the size and nature of the business? - We cannot be prescriptive about threshold setting, but this gives you an avenue to challenge this aspect, and the business should be able to explain its assessment of risk, and therefore justify why it has any threshold in place. - Also applies to cumulative limits etc. under the same principle. - Fair and consistent application of the regulations and our supervisory function.