AML 4 MSB 5. Policies, Controls and Procedures
Right. You have completed your risk assessment. Haven’t you? Yes? Read on. No? Go here.
Policy. From the guidance:
“Your policy statement must lay out your policy, control and procedures and how you and other senior managers will manage the business’ exposure to risk. It must be proportionate to the size and nature of your business. It must make clear how you’ll manage the risks identified in your risk assessment to prevent money laundering and terrorist financing and take account of any additional risk due to the size and nature of your business.”
My approach is to see the policy document as the overview. A short document that does not go into details, but explains how you manage and mitigate risk in the business. This is the top level document.
Controls and Procedures
This is nitty-gritty time.
“Your policies, controls, and procedures must also show how you will:
- do customer due diligence checks and conduct ongoing monitoring
- identify when a customer or beneficial owner is a politically exposed person (PEP) or a family member or close associate of a PEP, and do appropriate levels of enhanced due diligence (as described later in this guidance)
- appoint a nominated officer to receive reports of suspicious activity from staff and make suspicious activity reports to the National Crime Agency
- make sure your staff and the staff of your agents are trained to recognise money laundering and terrorist financing risks and understand what they should do to manage these, including the importance of reporting suspicious activity to the nominated officer
- review and update the business’s policies, controls and procedures
- maintain accurate, up-to-date record keeping and retention of records”
The guidance lays out the structure for us.
This document is the one that gets into the weeds. How do you check who your customer is? When? How do you record it?
These procedures should not be aspirational - they should be actual. Most sanctions and penalties are levied not because a procedure is wrong, but because a firm does not follow its own procedure, or has no procedure at all.
In the simplest terms.
Write a policy.
It’s not that difficult, is it?
Policies and Procedures can be daunting. They are necessarily detailed documents. If you would like Lime to cast an eye over yours, we will, for free. Get in touch.