Our risk based approach to supervision: General legal requirements for businesses
The legal requirements in relation to the risk-based approach are contained in the following sections of MLRs 2017.
Regulation 18 sets out the appropriate steps a relevant person must take to identify and assess the risk of money laundeirng and terrorist financing. To carry out a risk assessment a relevant person must take account of:
- any information made available to them by a supervisory authority under regulation 17(9) and 47
The relevant person must take account of any risk factors specific to the business of a relevant person, such as:
- its customers
- the countries or geograpghicall areas in which the relevant person operates
- its products or services
- delivery channnels
The risk assessment must be kept up to date and in writing.
Regulation 19 requires a relevant person to establish and maintain policies, controls and procedures based on their risk assessment to mitigate and manage the risk of money laundering
Regulation 19 sets out the relevant systems for which businesses must establish appropriate and risk-sensitive policies and procedures proportionate to the size of the business and approved by senior management. These are:
- risk assessment and management
- customer due diligence measures and ongoing monitoring
- reliance and record-keeping
- internal control
- monitoring and management of compliance, and
- the internal communication of these policies and procedures.
Regulation 19 (4) requires that these policies and procedures must include the identification and scrutiny of complex or unusually large transactions, unusual patterns of transactions, transactions that have no apparent economic or legal puropse and other activity that could be related to money laundering or terrorist financing.
Regulation 19(4) (d) requires a relevant business to comply with Part 7 of the POCA 2002 and the TA 2000. Any information that results in suspicion or provides reasonable grounds for suspicion of money laundering or terrorist financing must be reported to the NO who must consider all relevant information and decide if a report should be made to NCA.
The policies, controls and procedures established under regulation 19 must also apply to all relevant perosn’s subsidiary undertakings and branches located within and outisde the United Kingdom. and must be communicated to them.
They must be kept in writing and be regularly updated and communicated throughout the business.
Regulations 28(12) and 28 (13) require businesses to determine the extent of customer due diligence measures and ongoing transaction monitoring on a risk-sensitive basis depending on the type of customer, business relationship, product or transaction.