Our risk based approach to supervision: General legal requirements for businesses
The legal requirements in relation to the risk-based approach are contained in the following sections of the Money Laundering Regulations 2007.
Regulation 20 sets out the relevant systems for which businesses must establish appropriate and risk-sensitive policies and procedures. These are:
- Customer due diligence measures and ongoing monitoring
- Internal control
- Risk assessment and management
- Monitoring and management of compliance, and
- The internal communication of these policies and procedures.
Regulation 20 (2) requires that these policies and procedures must include the identification and scrutiny of complex or unusually large transactions, unusual patterns of transactions, or other activity that could be related to money laundering or terrorist financing.
Regulation 20(2) requires that the procedures include the appointment of a NO (except where the business is run by an individual with no employees) under Part 7 of the POCA 2002 and the TA 2000. Any information that results in suspicion or provides reasonable grounds for suspicion of money laundering or terrorist financing must be reported to the NO who must consider all relevant information and decide if a report should be made to SOCA.
Regulations 7(3) and 8(3) require businesses to determine the extent of customer due diligence measures and ongoing transaction monitoring on a risk-sensitive basis depending on the type of customer, business relationship, product or transaction.