Compliance checks involving visits: Planning the visit
The purpose of the visit will be to make sure that the business is complying with anti-money laundering legislation and taking advantage of the simplified procedures.
Compliance officers should ensure they have all relevant information before beginning to plan the compliance checks.
If a previous completed questionnaire and/or policy statement, risk assessment or other management records are available before the visit, they should be used. These should be used together with other risk information held and previous visit reports to plan the interview and visit to focus on identified risks.
Officers should remember that risk assessment should precede and inform all aspects of our supervision, including:
- data collection and other information requirements,
- advice and support and
- enforcement and sanctions.
The precise way RCO’s plan a specific visit will depend on the risks that have been identified. Officers will need to consider what questions they need to ask and what documents they need to see in order to evaluate if the business is compliant with the regulations or has put reasonable steps in place to remedy the weakness or breaches we have previously identified. It is good practice for Officers to prepare their own visit plan summarising the risks and how they intend to address these and what facts they need to record in their notebook.
A MSB risk based approach questionnaire is available to help officers to obtain relevant information at a visit about the risks in the business and the controls that have been put in place.
However the risk based approach means that Officers should always concentrate on the risks identified as the reason for the visit and should not adopt a tick box approach.
The starting point in preparing the visit plan should normally be the results of any previous Compliance Visit. If officers have had to issue any type of specific written advice to the business advising them what steps they need to put in place to become compliant they will need to check this first. Any specific written advice or warning should have been accompanied by a schedule which should be used as a benchmark to evaluate whether the business has taken the steps we have recommended. See MLR1 for further details.
For each recommendation Officers need to consider what they need to see.
Using a risk based approach they should evaluate if the business has done enough to improve compliance or if a breach has occurred. Officers will need to consider which tests are most appropriate to do this. The table of compliance risk areas and appropriate tests at Appendix 4 MLR3C15000 provides further details on tests compliance officers can undertake.
If a warning has previously been issued then officers should check that the business is taking steps to comply with the warning. In cases where a previous penalty has been issued officers should consider whether the penalty has resulted in a positive change of behaviour. It is good practice to include this in the visit plan.
Irrespective of whether we have issued previous penalties or warnings officers need to test how effectively the business has complied with the risk-based requirements of Regulation 20. It would be helpful if we have a copy of any written policy but this is not essential because fundamentally we need to know:
- What risks were identified?
- How they were identified and assessed?
- What controls monitoring and procedures are in place?
- How it was determined that these are set at the appropriate level?
- How are these communicated, where appropriate?
- What is the specific procedure for Suspicious Activity Reporting?
The most appropriate way to address this is by interviewing the business owner or NO within the business to establish who is responsible for the development and implementation of the policies and procedures they have in place. Officers should remember to record all information obtained during the interview in their notebook.