You are here:
  1. Home
  2. Advice
  3. Practice notes
  4. AML
  5. Chapter 3 - Systems, policies and procedures

Chapter 3 - Systems, policies and procedures

9 October 2012

Contents

3.1 General comments

Develop systems to meet your obligations and risk profile in a risk-based and proportionate manner. Policies and procedures supporting these systems mean that staff apply the systems consistently and firms can demonstrate to oversight bodies that processes facilitating compliance are in place.

Top of page

3.2 Application

Regulation 20 of the Money Laundering Regulations 2007 requires the regulated sector to have certain systems in place. If you are in the regulated sector, failing to have those systems is an offence, punishable by a fine or up to two years' imprisonment. You must demonstrate your compliance to the SRA, as supervisor under the regulations.

If you are outside the regulated sector, you should still consider how these systems can assist you to comply with your obligations to report suspicious transactions in accordance with POCA and the Terrorism Act.

Top of page

3.3 Nominated officers

3.3.1 Why have a nominated officer?

Regulation 20(2)(d)(i) requires that all firms within the regulated sector must have a nominated officer to receive disclosures under Part 7 of POCA and the Terrorism Act, and to make disclosures to SOCA.

Regulation 20(3)provides that there is no requirement to have a nominated officer in the regulated sector if you are an individual who provides regulated services but do not employ any people or act in association with anyone else.

Firms who do not provide services within the regulated sector should consider appointing a nominated officer, even though it is not required, because POCA and the Terrorism Act still apply. The SRA Handbook requires business management systems facilitating compliance with legal obligations.

Top of page

3.3.2 Who should be a nominated officer?

Your nominated officer should be of sufficient seniority to make decisions on reporting which can impact your firm's business relations with your clients and your exposure to criminal, civil, regulatory and disciplinary sanctions. They should also be in a position of sufficient responsibility to enable them to have access to all of your firm's client files and business information to enable them to make the required decisions on the basis of all information held by the firm.

Firms authorised by the FSA will need to obtain the FSA's approval to the appointment of the nominated officer as this is a controlled function under section 59 of the Financial Services and Markets Act 2000.

Top of page

3.3.3 Role of the nominated officer

Your nominated officer is responsible for ensuring that, when appropriate, the information or other matter leading to knowledge or suspicion, or reasonable grounds for knowledge or suspicion of money laundering is properly disclosed to the relevant authority. The decision to report, or not to report, must not be subject to the consent of anyone else. Your nominated officer will also liaise with SOCA or law enforcement on the issue of whether to proceed with a transaction or what information may be disclosed to clients or third parties.

The size and nature of some firms may lead to the nominated officer delegating certain duties regarding the firm's AML/CTF obligations. In some large firms, one or more permanent deputies of suitable seniority may be appointed. All firms will need to consider arrangements for temporary cover when the nominated officer is absent.

Top of page

3.4 Risk assessment

You can extend your existing risk management systems to address AML and CTF risks. The detail and sophistication of these systems will depend on your firm's size and the complexity of the business it undertakes. Ways of incorporating your risk assessment of clients, business relationships and transactions into the overall risk assessment will be governed by the size of your firm and how regularly compliance staff and senior management are involved in day-to-day activities.

Issues which may be covered in a risk assessment system include:

  • the firm's current risk profile
  • how AML/CTF risks will be assessed, and processes for re-assessment and updating of the firm's risk profile
  • internal controls to be implemented to mitigate the risks
  • which firm personnel have authority to make risk-based decisions on compliance on individual files
  • how compliance will be monitored and effectiveness of internal controls will be reviewed

Top of page

3.5 Internal controls and monitoring compliance

The level of internal controls and extent to which monitoring needs to take place will be affected by:

  • your firm's size
  • the nature, scale and complexity of its practice
  • its overall risk profile

Issues which may be covered in an internal controls system include:

  • the level of personnel permitted to exercise discretion on the risk-based application of the regulations, and under what circumstances
  • CDD requirements to be met for simplified, standard and enhanced due diligence
  • when outsourcing of CDD obligations or reliance will be permitted, and on what conditions
  • how you will restrict work being conducted on a file where CDD has not been completed
  • the circumstances in which delayed CDD is permitted
  • when cash payments will be accepted
  • when payments will be accepted from or made to third parties
  • the manner in which disclosures are to be made to the nominated officer

Monitoring compliance will assist you to assess whether the policies and procedures you have implemented are effective in forestalling money laundering and terrorist financing opportunities within your firm. Issues which may be covered in a compliance system include:

  • procedures to be undertaken to monitor compliance, which may involve:
    • random file audits
    • file checklists to be completed before opening or closing a file
    • a nominated officer's log of situations brought to their attention, queries from staff and reports made
  • reports to be provided from the nominated officer to senior management on compliance
  • how to rectify lack of compliance, when identified
  • how lessons learnt will be communicated back to staff and fed back into the risk profile of the firm

Top of page

3.6 Customer due diligence

You are required to have a system outlining the CDD measures to be applied to specific clients. You should consider recording your firm's risk tolerances to be able to demonstrate to your supervisor that your CDD measures are appropriate.

Your CDD system may include:

  • when CDD is to be undertaken
  • information to be recorded on client identity
  • information to be obtained to verify identity, either specifically or providing a range of options with a clear statement of who can exercise their discretion on the level of verification to be undertaken in any particular case
  • when simplified due diligence may occur
  • what steps need to be taken for enhanced due diligence
  • what steps need to be taken to ascertain whether your client is a PEP
  • when CDD needs to occur and under what circumstances delayed CDD is permitted
  • how to conduct CDD on existing clients
  • what ongoing monitoring is required

For suggested methods on how to conduct CDD see Chapter 4 of this practice note.

Top of page

3.7 Disclosures

Firms, but not sole practitioners who have no other staff, need to have a system clearly setting out the requirements for making a disclosure under POCA and the Terrorism Act. These may include:

  • the circumstances in which a disclosure is likely to be required
  • how and when information is to be provided to the nominated officer or their deputies
  • resources which can be used to resolve difficult issues around making a disclosure
  • how and when a disclosure is to be made to SOCA
  • how to manage a client when a disclosure is made while waiting for consent
  • the need to be alert to tipping off issues

For details on when a disclosure needs to be made see chapters 5, 6 and 7 of this practice note. For details on how to make a disclosure see chapter 8 of this practice note.

Top of page

3.8 Record keeping

Various records must be kept to comply with the regulations and defend any allegations against the firm in relation to money laundering and failure to report offences. A firm's records system must outline what records are to be kept, the form in which they should be kept and how long they should be kept.

Regulation 19 requires that firms keep records of CDD material and supporting evidence and records in respect of the relevant business relationship or occasional transaction. Adapt your standard archiving procedures for these requirements.

3.8.1 CDD material

You may keep either a copy of verification material, or references to it. Keep it for five years after the business relationship ends or the occasional transaction is completed. Consider holding CDD material separately from the client file for each retainer, as it may be needed by different practice groups in your firm.

Depending on the size and sophistication of your firm's record storage procedures you may wish to:

  • scan the verification material and hold it electronically
  • take photocopies of CDD material and hold it in hard copy with a statement that the original has been seen
  • accept certified copies of CDD material and hold them in hard copy
  • keep electronic copies or hard copies of the results of any electronic verification checks
  • record reference details of the CDD material sighted

The option of merely recording reference details may be particularly useful when taking instructions from clients at their home or other locations away from your office. The types of details it would be useful to record include:

  • any reference numbers on documents or letters
  • any relevant dates, such as issue, expiry or writing
  • details of the issuer or writer
  • all identity details recorded on the document

Where you are relied upon by another person under Regulation 17 for the completion of CDD measures, you must keep the relevant documents for five years from the date on which you were relied upon.

Top of page

3.8.2 Risk assessment notes

You should consider keeping records of decisions on risk assessment processes of what CDD was undertaken. This does not need to be in significant detail, but merely a note on the CDD file stating the risk level you attributed to a file and why you considered you had sufficient CDD information. For example:

'This is a low risk client with no beneficial owners providing medium risk instructions. Standard CDD material was obtained and medium level ongoing monitoring is to occur.'

Such an approach may assist firms to demonstrate they have applied a risk-based approach in a reasonable and proportionate manner. Notes taken at the time are better than justifications provided later.

Firms may choose standard categories of comment to apply to notes.

Top of page

3.8.3 Supporting evidence and records

You must keep all original documents or copies admissible in court proceedings.

Records of a particular transaction, either as an occasional transaction or within a business relationship, must be kept for five years after the date the transaction is completed.

All other documents supporting records must be kept for five years after the completion of the business relationship.

Top of page

3.8.4 Suspicions and disclosures

It is recommended that you keep comprehensive records of suspicions and disclosures because disclosure of a suspicious activity is a defence to criminal proceedings. Such records may include notes of:

  • ongoing monitoring undertaken and concerns raised by fee earners and staff
  • discussions with the nominated officer regarding concerns
  • advice sought and received regarding concerns
  • why the concerns did not amount to a suspicion and a disclosure was not made
  • copies of any disclosures made
  • conversations with SOCA, law enforcement, insurers, supervisory authorities etc regarding disclosures made
  • decisions not to make a report to SOCA which may be important for the nominated officer to justify his position to law enforcement

You should ensure records are not inappropriately disclosed to the client or third parties to avoid offences of tipping off and prejudicing an investigation, and to maintain a good relationship with your clients. This may be achieved by maintaining a separate file, either for the client or for the practice area.

3.8.5 Data protection

The Data Protection Act 1998 applies to you and SOCA. It allows clients or others to make subject access requests for data held by them. Such requests could cover any disclosures made.

Section 29 of the Data Protection Act 1998 states you need not provide personal data where disclosure would be likely to prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders.

HM Treasury and the Information Commissioner have issued guidance which essentially provides that the Section 29 exception would apply where granting access would amount to tipping off. This may extend to suspicions only reported internally within the firm.

If you decide the Section 29 exception applies, document steps taken to assess this, to respond to any enquiries by the Information Commissioner.

HM Treasury guidance e
Information Commissioner guidance (PDF, 73kb)

Note the definition of personal data.

Top of page

3.9 Communication and training

Your staff members are the most effective defence against launderers and terrorist financers who would seek to abuse the services provided by your firm.

Regulation 20 requires that you communicate your AML/CTF obligations to your staff, while regulation 21 requires that you give staff appropriate training on their legal obligations and information on how to recognise and deal with money laundering and terrorist financing risks.

Chapter 7 of the SRA Handbook also requires you to train your staff to a level appropriate to their work and level of responsibility.

3.9.1 Criminal sanctions and defences

Receiving insufficient training is a defence for individual staff members who fail to report a suspicion of money laundering, provided they did not know or suspect money laundering. However, it is not a defence to terrorist funding charges, and leaves your firm vulnerable to sanctions under the regulations for failing to properly train your staff.

3.9.2 Who should be trained?

When setting up a training and communication system you should consider:

  • which staff require training
  • what form the training will take
  • how often training should take place
  • how staff will be kept up-to-date with emerging risk factors for the firm

Assessments of who should receive training should include who deals with clients in areas of practice within the regulated sector, handles funds or otherwise assists with compliance. Consider fee earners, reception staff, administration staff and finance staff, because they will each be differently involved in compliance and so have different training requirements.

Training can take many forms and may include:

  • face-to-face training seminars
  • completion of online training sessions
  • attendance at AML/CTF conferences
  • participation in dedicated AML/CTF forums
  • review of publications on current AML/CTF issues
  • firm or practice group meetings for discussion of AML/CTF issues and risk factors

Providing an AML/CTF policy manual is useful to raise staff awareness and can be a continual reference source between training sessions.

Top of page

3.9.3 How often?

You must give your employees relevant training atregular and appropriate intervals. In determining whether your training programme meets this requirement, you should have regard to the firm's risk profile and the level of involvement certain staff have in ensuring compliance.

You should consider retaining evidence of your assessment of training needs and steps taken to meet such needs.

You should also consider:

  • criminal sanctions and reputational risks of non-compliance
  • developments in the common law
  • changing criminal methodologies

Some type of training for all relevant staff every two years is preferable.

Top of page

3.9.4 Communicating with your clients

While not specifically required by the regulations, we consider it useful for you to tell your client about your AML/CTF obligations. Clients are then generally more willing to provide required information when they see it as a standard requirement.

You may wish to advise your client of the following issues:

  • the requirement to conduct CDD to comply with the regulations
  • whether any electronic verification is to be undertaken during the CDD process
  • the requirement to report suspicious transactions

Consider the manner and timing of your communications, for example whether the information will be provided in the standard client care letter or otherwise.

Top of page

In advice

 
 
 

Other chapters

Latest Version

Previous Versions

Previous versions of this page are available below: