ECSH63390 - Regulation 19 - Policies, controls and procedures
| Category Heading |
Description |
|---|---|
| The Law |
https://www.legislation.gov.uk/uksi/2017/692/regulation/19 |
| What it means |
The relevant person/business must use its Risk Assessment to set out their
procedures for effectively mitigating each risk identified. These must be written down, be regularly reviewed and updated, and communicated throughout the business The PCPs must cover; risk assessment and management customer due diligence (CDD) measures record keeping internal controls monitoring and management of compliance the internal communication of these PCPs Remember - 'must' denotes a legal obligation; setting out policies, controls and procedures, which are specific to the business, is not optional and failure to comply with Regulation 19 is a breach. |
| Purpose |
A relevant person/business needs to know the risks faced and how severe
those risks are - without this, it wouldn't be possible to prevent the business
being exposed to Money Laundering and Terrorist Financing (MLTF). Once
identified, it must show how the relevant person/business effectively
mitigates and monitors these risks. |
| Time Line |
There was a requirement under Reg 20 MLR 2007 to have risk-based policies
and procedures; and within Reg 3 MLR 2003 to have AML procedures (known
as CATCH) but there was no previous requirement for these to be in writing. |
| What to
establish |
19(1)(a) - Does the relevant person/business have PCPs that effectively
mitigate and manage the risks of MLTF identified in its Risk Assessment? Does
the relevant person/business do what it says it does? - Fundamental
Requirement 19(1)(b) - How often are reviews and updates carried out? Is there a record that shows that regular reviews and updates have been undertaken? Does the period between reviews seem reasonable? - Fundamental Requirement 19(1)(c) - Are the PCPs written down? Is there a record of review dates or document version control? Are there records to show that the PCPs have been communicated with the right people? - Fundamental Requirement 19(2) - How big and complex is the business? Do the PCPs reflect this? Have the PCPs been approved by Senior Management? 19(3) - Do the PCPs include the relevant person/business's; (a) risk management practices (b) internal controls (c) CDD procedures (d) reliance and record keeping procedures 19(3)(e) - Do the PCPs explain how the relevant person/business will monitor and manage its staff and/or agents' compliance with the PCPs? Are there internal audit reports? How have the PCPs been communicated with the relevant staff and/or agents? 19(4)(a) - What is a typical/common transaction for the relevant person/business? Do they treat certain transactions differently (e.g. an export or a transaction over a certain value)? Are there separate teams responsible for sales and compliance and how do they interact? 19(4)(b) - Are any customers anonymous (i.e. a complex ownership structure prevents identification of the BOOM)? Are any transactions non-face-to-face? What does the relevant person/business do to address the risks of products or transactions which favour anonymity? 19(4)(c) - Does the relevant person/business update its PCPs ahead of introducing new products, practices or technologies, to account for the associated risks? Is there a record of review dates or document version control to corroborate this? 19(4)(d) - How do staff and/or agents report suspicions that a person is engaged in ML or TF? Who do they report to and is a record kept? Are internal SARs raised and recorded? 19(5)(b) - Has the relevant person/business taken into account any guidance issued by the supervisory body? 19(6) - Are there any branches or subsidiaries to the relevant person/business based outside the UK? If so, is there a record to demonstrate they have been sent, and are aware of, the PCPs? |
| How to test
compliance and evidence to
obtain |
Obtain a copy of latest PCP document and a version/amendment history if
available. Review the documents alongside the published sector guidance.
Question the business to ascertain how the business actually operates and to
understand the mechanics of the relevant transactions. Evidence examples of any differences found from recorded PCPs and described operations/mechanics, and actual operations/mechanics. Breaches will also occur where a risk has been identified but the business has failed to establish a PCP, or where it has effective PCPs but failed to maintain (follow) them. Remember, to allege a breach, a risk must first be identified in its risk assessment. If there are a lack of procedures because a risk has not been identified, the breach should be under Regulation 18, rather than Regulation 19. If there is a change part way through the relevant period you’re looking at, the breach would be a failure to regularly review and update PCPs, rather than failure to have a procedure. Establish who is business's Senior Management, the individual responsible for compliance, and the individual responsible for reporting suspicious activity Obtain and review any audit reports (internal or by a third party) concerning the business compliance with its legal obligations and performance. Look for business literature or press releases regarding their activities especially new ventures or products, that may require an update to the PCPs. |
| Scenario |
Prior to a compliance visit, an HVD emails a copy of its AML procedure
document. When you review it, you quickly realise the document refers to
amounts of £10,000 in cash throughout. During the visit, the business owner
says that if anyone wants to pay in cash over £10,000 he keeps a separate
spreadsheet with all the details and he uses this to monitor who is paying in
cash. This procedure isn’t written down. You advise the business the limit is in
euros and of the equivalent in sterling today. The business owner apologises
for this oversight and says he will change it immediately and send all the sales
staff an email. You query this, because the MLR application says that there is
only one employee and the PCP document doesn’t mention staff or how they
will be trained. The owner says the business has grown considerably since the
AML documents were written but he’ll make sure they are updated as soon as
possible. This business has breached 19(1)(c). |
| Best Practice |
See sector specific information below: |
| AMP |
CDD procedures especially concerning politically exposed persons, their family
members and close associates. Enhanced CDD to be carried out. AMP's customer depends on their business model - Purchaser (including broker or agent acting on their behalf) - Seller where the AMP provides a service to, and receives financial value from, them Please see BAMF AML guidance |
| ASP |
We need to understand the business records and the "onboarding of clients"
procedures the business used to inform its Risk Assessment and then assess
the level of risk for each of its clients. See Para 4 of the CCAB Guidance for the Accountancy Sector |
| EAB |
19(4)(b) - Complex and opaque ownership structures that lend themselves to
anonymity. CDD checks must be carried out on both sellers and buyers as well as ongoing monitoring. Identify politically exposed persons as well as family members and close associates. Enhanced CDD to be carried out. Please see para 3 of EAB Guidance – Paras 5.15 et seq |
| LAB |
CDD checks must be carried out on both parties as well as ongoing monitoring. |
| HVD |
Understand the business records/information sources used to inform its Risk
Assessment. Ensure procedures record authority levels - who can authorise a large cash payment? Procedures must record when CDD is carried out (and not solely for commercial reasons) - is there a sterling limit? Ensure these are extended for all parties to the transaction, especially for export customers relying on other individuals/businesses in the UK to make a cash payment on their behalf. HVDs rarely rely on another business to carry out due diligence but may employ ex-HMRC employees to act as their MLR representative. Normal trading records will be maintained; the procedures should set out how and where relevant cash payments are recorded. Who reviews records to ensure that all relevant cash payments have been identified? Please see para 3 of HVD Guidance |
| MSB |
19(4)(e) - A money service business that uses agents must ensure that
appropriate measures are taken to enable them to assess (i) whether the
agents would satisfy the fit and proper test (Reg 58) and (ii) the risk that the
agent may be used for ML or TF It is important to remember that being sure an agent satisfies the fit and proper test (Reg 58), goes above and beyond verifying the individuals within the agent and any officer, manager and beneficial owner of the agent have no Schedule 3 convictions. The MSB principal must take into account all parts of the test including those listed in 58(4). HMRC also has published fit and proper guidance available on GOV.UK. Fit and proper technical guidance Is the agent on-boarding procedure clearly stated? When assessing the risk that an agent may be used for MLTF, does the Principal take into account if the agent is registered with multiple principals and/or has its own independent registration? Does the agent in fact have an agent network of its own? Has the agent's location, including its proximity to other MSB's, been taken into account? In a Principal-Agent relationship, the MSB Principal is responsible for ensuring all of its agents have, know, understand and follow the Principal's PCPs. Are the PCPs for ongoing monitoring, including multiple senders to one beneficiary or single sender to multiple beneficiaries, multiple senders from the same household, cumulative limits, non-local customers? When considering whether the CDD thresholds set are appropriate, you should consider the "size and nature" of the business - i.e. does the average transaction value align with the threshold amount. Do the PCPs match the risk? i.e. the business' RA may outline a high-risk situation but the corresponding PCPs don't marry up to the risk; the RA says a country funds are sent to is high-risk, but there is a threshold before enhanced due diligence is completed. If the situation is deemed high-risk then enhanced due diligence should be completed for every transaction. Do the PCPs cover all services being undertaken by the MSB? Does the MSB conduct relevant activity in its own right and/or through an agent network? Do the PCPs reflect both of these? Do the PCPs cover the MSB sub-sectors being provided (Money Transmission, Currency Exchange and Cheque Cashing)? Please see para 3 of MSB Guidance |
| TCSP |
19(4)(b) - Complex and opaque ownership structures that lend themselves to
anonymity Please see para 3 of the TCSP Guidance |
| Further Reading |
JMLSG guidance Part 1 Chapters 1 and 2 National Risk Assessment Dec 2020 National Risk Assessment Oct 2017 Part 3 Terrorism Act 2000 Part 7 of Proceeds of Crime Act 2002 Customer due diligence: - Part 3 Chapters 1 CDD: general, Chapter 2 Enhanced CDD and Chapter 3 Simplified CDD |
| FAQs |
What if the Risk Assessment and PCP documents are in the same document? There is no legal obligation for relevant businesses to have two separate documents, as long as the content covered sufficiently for each requirement of the Regulations. What terminology should I use when completing a table of failure? Use the terms from the Regulations e.g.. failed to keep a "record in writing" rather than a written record. |