ECSH63405 - Regulation 21 - Internal controls
| Category Heading |
Description |
|---|---|
| The Law |
https://www.legislation.gov.uk/uksi/2017/692/regulation/21 |
| What it means |
A relevant person must put in place controls to effectively monitor and
manage its Anti-Money Laundering (AML) policies, controls and procedures
(PCPs). |
| Purpose |
To confirm sufficient resources and appropriate persons are appointed to
ensure compliance with the MLRs and the effectiveness of PCPs in
preventing Money Laundering or Terrorist Financing (MLTF). |
| Time Line |
Similar provisions were provided within Regulation 20 MLR 2007,
Regulation 3 of MLR 2003 (Money Service Businesses (MSBs)/High Value
Dealers (HVDs)) and Regulation 3 of MLR 2001 (MSBs only) to comply with
the requirements of MLR 1993. |
| What to establish |
Regulation 21(1) states that the requirements shown below are
“appropriate with regard to the size and nature of its business”. This means
it may not be necessary to employ additional staff to carry out all of the
functions below, although the responsibilities remain. Sub-section (10) sets out that in determining what is “appropriate” a relevant person MUST take into account its Risk Assessment (RA) under regulation 18(1); and MAY take into account any guidance issued by its supervisor (e.g. sector guidance). Regulation 21(3) states that an individual in the relevant person's firm must be appointed as a nominated officer (NO). This doesn’t apply where the “relevant person is an individual who neither employs nor acts in association with any other person” (Reg 21(6)) – in other words, if it is a “one-man band”, that person will be responsible for the effectiveness of their AML procedures and for reporting suspicious activity to the National Crime Agency (NCA). If the relevant person is a partnership, or there’s more than one director, a NO must be appointed The NO must consider internal suspicious activity reports to determine whether there are reasonable grounds to know or suspect that a customer is engaged in MLTF (Reg 21(5)). The NO must consider the report in the light of relevant information available. Its important therefore that the NO has access to all customer and financial information and is of sufficient seniority to make independent decisions. The NO must therefore be employed within the business and cannot be an external appointment, such as an external accountant or compliance professional. Failing to disclose knowledge or suspicion of ML is an offence under Part 7 of Proceeds of Crime Act 2002. Where there is a board of directors (or equivalent), one of the directors must take responsibility for AML and update the rest of the board as appropriate in accordance with Reg 21(1)(a). HMRC Compliance Officers should always establish who the Senior Responsible Officer (SRO), or compliance officer, is within the business to determine who is ultimately responsible. The relevant person must advise HMRC of any appointment or changes to the NO or SRO within 14 days (Reg 21 (4)) (opposed to the standard 30 days to notify of a material change). Depending on the size and nature of the business, there must also be an independent audit function, i.e. separate to those carrying out the day to day activities of the business. The audit must review the effectiveness of the AML procedures and make sure they are working to prevent MLTF. • Where recommendations for improvement are made, the audit function must make sure they are implemented. A payment service provider (e.g. a money transmitter, BPSP or TDITPSP subject to the relevant requirements of the funds transfer regulations) MUST appoint an individual to communicate, monitor and manage compliance with its PCPs in order to: (a) identify situations carrying a higher risk of MLTF; (b) keep a record of its AML RA/PCPs; (c) ensure the PCPs are applied to all relevant functions including any changes to business activities, new products or new customers; and (d) provide information to senior management about the operation and effectiveness of its PCPs at least annually and at other times as appropriate – Reg 21(7). Where staff are employed to carry out any of the above functions, they MUST be “screened”. This is similar to the Fit and Proper Test under Regulation 58, to ensure the conduct and integrity of the individual(s) and that they have appropriate skills, knowledge and expertise to carry out their function effectively. “Relevant employees” are defined at Reg 21(2)(b) and include staff whose work is relevant to compliance with the regulations, contributes to identifying or mitigating risks of MLTF, or the prevention or detection of MLTF. It therefore encompasses all key roles (customer facing staff, NO, SRO, compliance officer or team, auditor etc). Screening is an ongoing requirement and checks must be repeated. A relevant person must establish and maintain systems which enable it to respond “fully and rapidly” to enquiries from law enforcement agencies (LEAs defined at Reg 21(9)) regarding its customers during the previous five years. This is linked to the requirements under Regulation 40 (Record keeping). |
| How to test
compliance and evidence to obtain |
Confirm the business structure and who has been appointed to each of the
roles above. If the business hasn’t appointed anyone to these roles, why was it considered not appropriate? Is this in line with the risks identified within its RA or in the sector guidance approved by Treasury? Confirm the dates the individuals were appointed – do these match the information we hold on ETMP? If not, consider a penalty for Failure to Notify, within 14 days (see type 3 within New Financial Penalties Framework: Introduction - HMRC). Confirm the roles and responsibilities of each of the persons appointed. Confirm how the business screens its staff when appointed, and ask to see evidence, including when these checks were last performed. Confirm that each person is effectively carrying out their role. For example: Nominated Officer: Confirm the role of the NO and that they are an employee of the business, with sufficient seniority to carry out the role effectively and independently. Ask the NO for their understanding of financial information and the risks of MLTF to the business. Ask how many internal reports have been received by the NO, and the information sources used when evaluating the internal reports, including if any information was requested but not provided to them. Confirm the number of SARs submitted to the NCA (including DAML). Are there sufficient grounds for knowledge or suspicion of MLTF? Is there evidence that the NO has failed to disclose suspicious activity? If so, consider a referral under POCA 2002. Compliance Officer/Team: Confirm the role of the compliance officer or SRO. Confirm that all the requirements of Regulations 18 and 19 have been complied with. If not, why not? Record the steps taken to communicate the PCP. Ask to see evidence of checks performed to ensure staff comply with the PCP? If breaches have occurred, how did these go undetected? How are they informed of any changes to business activities, new products and services or new customers? Ask to see copies of annual reports and information provided to senior management. |
| Scenario |
Whilst trying to book a visit, the receptionist tells you that the individual
left the business about 18 months ago, but she’ll put you through to the
person who took over their job. You recognise the business has failed to
inform HMRC of the appointment of a Nominated Officer within 14 days,
which is a breach of 21(4)(c). You ask the business owner why HMRC was
not informed of the change and he tells you that unfortunately the
previous NO left unexpectedly and he wasn’t aware of what he had to do. You advise him to login to the business’s Government Gateway account and amend the application immediately. |
| Best Practice |
At the start of any intervention etc, HMRC compliance officers should be
speaking with all the individuals above to establish their roles and
responsibilities to ensure they are dealing with the correct person. This
means you may be speaking to more than one officer within the business. |
| AMP |
No additional Best Practice. |
| ASP |
No additional Best Practice. |
| EAB |
No additional Best Practice. |
| LAB |
No additional Best Practice. |
| HVD |
No additional Best Practice. |
| MSB |
No additional Best Practice. |
| TCSP |
No additional Best Practice. |
| Further Reading |
Schedule 6 - Relevant Requirements |
|
Proceeds of Crime Act 2002 (legislation.gov.uk) | |
|
ECS Penalties Guidance - HMRC – ECSH 80000 | |
|
Business tax: Anti money laundering supervision - detailed information - GOV.UK (www.gov.uk) | |
|
National risk assessment of money laundering and terrorist financing 2020 - GOV.UK (www.gov.uk) | |
|
Suspicious Activity Reports - National Crime Agency | |
| FAQs |
Can the NO be based overseas? Yes, as long as they are still employees within the business structure. If a person is not an employee within the business, can they still be an NO? No, they must be an employee within the business, or the business group/structure. Can an employee provide the ‘independent audit function’? Yes, as long as they are not “marking their own work”. |