MLR3C8400 - Compliance visit tests: Checking internal control and compliance monitoring

Section 5 of MLR 8 explains the internal control and compliance monitoring requirements in some detail. The internal control requirements basically mean that businesses must have sufficient management controls and communication routes in place so as to be able to recognise high-risk and suspicious situations and take action to prevent and/or report money laundering or terrorist financing activity.

What is appropriate will depend upon the size, structure and complexity of the business and the risks associated with the products, customers and transactions involved.

Internal control policies and procedures will be more appropriate for businesses with large, sophisticated or complicated management systems requiring oversight and control by senior management, e.g. where products, customers or operations are diverse; or where there are numerous premises or agents.

Procedures for monitoring compliance with the business’s policies and procedures will be necessary for all businesses with employees.

In addition to the guidance on internal controls in section 5 of MLR8, section 6 provides guidance for senior managers on the value and content of policy statements.

To evaluate a business’s compliance with these requirements, compliance officers should consider the following questions where relevant:

  • Does the business clearly communicate its anti money laundering and counter terrorist funding policies and procedures to its employees in a way that will focus the minds of staff on the need to be constantly aware of the risks and how to react in higher-risk or suspicious situations?
  • Are individuals’ and management responsibilities clearly explained within the organisation?
  • Are money laundering and terrorist financing risks taken into account in the day to day operations of the business?
  • Is information on potential money laundering or terrorist financing activity reported to senior management quickly so that it can be prevented or reported?
  • Does the business monitor its compliance with the Regulations in a reasonable and effective way?
  • If the business has agents included on its registration, how is risk and compliance managed in respect of “F&P” criteria, CDD, transaction monitoring and reporting suspicious transactions?
  • Are site visits carried out to branches or agents to check compliance?

Further information on internal controls can be found in the FATF accountants TCSP and lawyers’ guidance.