Beta This part of GOV.UK is being rebuilt – find out what beta means

HMRC internal manual

Money Laundering Regulations: Compliance

Business sector specific Guidance: Money Service Businesses: Money Laundering Regulations checks at a Money Transmitters

The very nature of their business means that money transmitters are exposed to the risk that the transactions that they are asked to perform will be for the purposes of laundering the proceeds of crime or the transfer of funds used to finance terrorism. The degree of risk will vary for each business according to a number of factors the chief ones being, their customer profile, destination of funds, delivery channels, size of transactions undertaken.

Regulation 20(1) MLR 2007 requires businesses to establish appropriate risk sensitive policies and procedures to prevent money laundering. These are:

* customer due diligence measures and ongoing monitoring
* reporting
* internal control
* risk assessment and management
* monitoring and management of compliance
* internal communication of policies and procedures.

Additionally Regulation 20(2) requires businesses to (a) apply the above policies and procedures so that they identify and scrutinise unusually large or complex transactions that could be connected with money laundering or terrorist financing and (b) to appoint a Nominated Officer (except where the business is run by a sole trader with no employees) under Part 7 of the Proceeds of Crime Act 2002 and the Terrorism Act 2000. Information that results in suspicion or provides reasonable grounds for suspicion of money laundering or terrorist financing must be reported to the Nominated Officer. The Nominated Officer must then consider the information and decide if a report should be sent to the Serious Organised Crime Agency.

Regulations 7(3) and 8(3) requires businesses to determine the extent to which customer due diligence and ongoing transaction monitoring is carried out on a risk sensitive basis having regard to the type of customer, business relationship, product or transaction.

In order to check that an MSB is complying with the Regulations it should be borne in mind that the Regulations do not prescribe the procedures or policies that a business must put in place to prevent their business being used to launder money of finance terrorism. It requires them to put in place systems that are “appropriate and risk-sensitive”.

There is therefore no uniform approach that applies and each business is required to apply measures that fit the circumstances of their business. Larger more sophisticated businesses may have detailed policy statements and risk analysis documents in place which fully explain the measures that they adopt in the business to mitigate the risk of money laundering. On the other hand many small businesses will not (nor are they required to) have any policy or risk analysis documents. They must therefore demonstrate that they have identified risks and made appropriate judgements in the circumstances to mitigate it. It is not sufficient for a money transmitter to follow and rely on the identification procedures to comply with the Payment Regulations. Compliance with MLR goes beyond this and a business must be able to demonstrate that they have adopted a risk based approach in their dealings with customers.

To demonstrate that they have been complying with the Regulations and have appropriate policies and procedures in place a sample of the MSB’s transactions and business records should be tested. Business Records that are likely to be useful for testing and which can be used are:

* transaction records
* customer files
* internal compliance management reports
* bank paying-in books
* bank statements

The test should be carried out over a sufficient sample of records and time period for a clear picture to emerge as to the level of compliance or non compliance. A table of compliance risk areas and appropriate measures to be taken by the business to mitigate the risks is available at Appendix 4 of the Anti Money Laundering Guide for Money Service Businesses.

The test whether these risks have been addressed a compliance visit should check the following.

* Look at customer histories. Do the records kept by the business enable repeat transactions to be identified? If the records are computerised has it been programmed so that a whole customer history can be accessed? If the records are manual do they enable a customer profile to be produced?
* Identify any customers with regular high value transactions and check what EDD measures the business has taken to establish the source of the funds and the reason for the transaction.
* Check bank statements to identify any remote payments into their bank account. Has EDD been carried out for non face to face transactions?
* Where the business is acting as an Intermediary Payment Service Provider (IPSP) do they check that the other money transmitter’s MLR registration is current?
* If the business makes use of a computer system supplied by an IPSP can they ensure that transaction records will be available for 5 years if they change provider?
* If the business receives funds into the UK do they ensure that they receive CIP from the transmitter where the transmitter is based in the EU?
* If the business receives funds into the UK from a non EU based transmitter does the business ensure that there are comparative AML procedures in place before accepting the transaction?