Chapter 27 AML: responsibility and oversight Flashcards
27.1 AML responsibilities of a business
The 2017 regulations require anti-money laundering systems and controls and they impose a duty to ensure relevant employees are aware of these systems and controls and are trained to apply them properly. Businesses are required to monitor and manage their own compliance with the 2017 regulations and make sure they are always familiar with the 2017 requirements to ensure continuing compliance.
If a business fails to meet its obligations under the 2017 regulations, civil penalties or criminal sanctions can be imposed on the business and any individuals deemed responsible. The primary money laundering offences defined under POCA can be committed by anyone inside or outside the regulated sector but POCA imposes specific provisions on the regulated sector. Businesses must have systems capable of accessing the risks associated with clients, performing CDD, monitoring clients, keeping records and enabling staff to make an internal SAR.
Relevant employees must be trained appropriately so they understand both their own personal AML obligations and the businesses systems and controls.
27.2 AML implementation by sole practitioners
A sole practitioner with no relevant employees does not need to:
• Appoint a board member to be responsible for the business’ compliance with the UK AML regime, the sole practitioner is responsible
• Appoint a nominated office as the sole practitioner is responsible for submitting external reports to the NCA
• Establish an independent audit function for AML polices, controls and procedures
27.3 Senior management/MLRO AML responsibilities
The 2017 regulations define senior management as an officer or employee with sufficient knowledge of the business’ MLTF risk exposure and with sufficient authority, to take decisions affecting its risk exposure. The approval of senior management must be obtained for the polices, controls and procedures adopted by the business and before entering or continuing a business relationship with a politically exposed person (PEP), a family member of a PEP or a close associate of a PEP. Members of senior management should receive CPD appropriate for their role.
Where appropriate with the size of the business, the business needs to appoint a member of senior management or the board to be responsible for compliance with the AML regime. The role requires the individual to have:
• An understanding of the business and its clients
• Sufficient authority to direct the activities of all members of staff
• The authority to ensure the business’ compliance with the regime
• The time, capacity and resources to fulfil the role
A business should also appoint a nominated officer responsible for receiving SARs and making external SARs to the NCA. The person must have sufficient seniority to make decisions, the authority to make external reports to the NCA without reference to another person and the time, capacity and resources to review internal SARs and make external SARs in a timely manner. Within 14 days of appointment the business’ anti-money laundering supervisory authority must be informed of the identity of the individual(s). depending on the size of the business, these two roles can be taken on by one person, called MLRO.
27.3 Senior management/MLRO AML responsibilities (2)
The role of the MLRO is not defined in legislation but traditionally includes responsible for internal controls and risk management around MLTF. Businesses with a MLRO should ensure that it reflects current law, regulation and guidance and that the MLRO has seniority, authority, time and resources to fulfil the brief. A business may want a deputies and delegates to the MLRO depending on the size of the business. The MLRO should:
• Have oversight and be involved in MLTF risk assessments
• Take steps to access any relevant information about the business
• use national and international findings to inform their performance of their role
• maintain the business’s risk-based approach to preventing MLTF
• implement systems, controls and policies to focus on MLTF
• develop customer due diligence policies and procedures
• ensure staff can make internal SARs to comply with POCA
• take steps to ensure there is adequate arrangements for awareness and training
• receive the findings of relevant audits and compliance reviews and communicate these to the board
• report at least annually to the board on the businesses effectiveness of AML systems. This should take the form of a written board which is supplemented with regular ad hoc meetings to keep senior management engaged with AML compliance. The board should be able to demonstrate they have given the reports proper consideration
27.4 Splitting the MLRO role
When the role is split the allocation of the duties should be clear and the anti-money laundering supervisory authority should be clear on the allocation. Businesses may use their discretion as to how to assign duties between two or more individuals depending on their size and complexity.
27.5 AML policies, procedures and controls
The 2017 regulations place requirements on businesses regarding CDD, record keeping, procedures and training. The following need to be considered for the MLTF framework: risk-based approach, CDD, record keeping, internal control, ongoing monitoring, reporting procedures, compliance management and communication.
Firms are required to establish and maintain policies and procedures to manage the risks of money laundering and terrorist financing. Records must be maintained in writing and should include risk management practices, internal controls, customer due diligence, reliance and record keeping and the monitoring of management of compliance.
Policies and procedures should provide for the identification and scrutiny of complex large transactions with no apparent economic or legal purpose. It is a good idea to indicate how staff make reports to the MLRO. The procedures should be easy to follow for all staff, the document does not need to be lengthy. Businesses should have different risk categories in relation to their clients or areas of work. Firms should regularly review their polices and written records kept of the policies and the changes to them. Businesses with overseas subsidiaries should have a group wide policy complying with UK law. If this is not permitted in the overseas territory the business must inform its anti-money laundering supervisory authority and implement additional risk-based procedures.
It is the ultimate responsibility of the board member or senior management for compliance to identify the risks and develop risk-based procedures for taking on new clients. A risk assessment should be conducted at least annually with new and changing risks considered as and when they are identified. Resources like the Financial Action Task Force (FATF) mutual evaluations and Transparency International’s corruption perception index can be useful when determining the MLTF risk.
27.5 AML policies, procedures and controls (2) - CDD, reporting, record keeping, training and employee screening
CDD – MLRO is responsible for this, CDD is the process by which the identity of a client is established and verified, for new and existing clients. The procedures ensure employees are able to make informed decisions about whether or not to establish a business relationship or undertake an occasional transaction (has a value of more than 15,000 euros), in light of the MLTF risks with the client.
Reporting – under POCA the reporting of knowledge or suspicion of money laundering is a legal requirement. It is the MLRO’s responsibility to satisfy the POCA reporting requirements. They must have clear policies on what is expected when an individual becomes aware or has suspicions of money laundering and how they report it to the MLRO.
Record keeping – all records as part of the CDD process must be retained for 5 years after the relationship ends. All records related to an occasional transaction must be retained for five years after the transaction is completed. A disengagement letter is evidencing the relationship has ended. There is no comparable retention period for information and communications relating to SARs, but a business may wish to retain these securely for five years.
Training and awareness – all employees must be aware of the law relating to MLFP and data protection and given regular training. Employees should be aware of their legal and regulatory duties, understand how to put those requirements into practice and are continuously updated about changes in the business’ AML policies and the MLTF risks faced. A business failing to provide training for relevant employees is at risk of prosecution and would risk failing to comply with Section 338 of POCA.
Employee screening – an employee is relevant if their work is relevant to compliance with the 2017 regulations or otherwise capable of contributing to the business’ identification, prevention or detection of MLTF. It is important businesses have a mechanism for evidencing MLTF knowledge within such procedures for example a test with the results recorded.
27.5 AML policies, procedures and controls (3) - monitoring policies,
Monitoring policies and procedures – the MLFO and senior management should monitor the effectiveness of polices and processes, so improvements can be made. They can do this by having regular independent reviews to understand the effectiveness of their systems. Any recommendations for improvement should be monitored. The reviews should be proportionate to the size and nature of the business. As part of improvements the MLFO and senior management should monitor publicly available information on best practice for MLTF risks, for example thematic reviews by regulators.
When operating through incorporated bodies or partnerships members need to consider what policies and procedures, they need in place to address potential issues in relation to the corporate offences of failures to prevent the criminal facilitation of tax evasion.
