Your AML Policy sets out what you have decided your business needs to have in place to comply with the MLRs.
It doesn’t need to be a lengthy document or contain a regurgitated list of regulatory requirements. It should be statement about the approach your business will adopt around a specific area.
The MLRs require that a practice has a documented policy and procedure that explains how your practice will meet the MLR requirements across certain areas.
Risk management practices; This should cover your approach to conducting: The Firm Risk Assessment (now including a risk assessment relating to proliferation financing, as well as MLTF), An individual Client Risk Assessment for each client, Reviews of the effectiveness and appropriateness of the overall MLR processes.
Internal controls: Employee screening, An independent audit function for review of adequacy and effectiveness of the MLR processes, Identifying a nominated officer, Identifying the individual with responsibility for compliance, a process for responding fully and rapidly to enquiries from relevant law enforcement authorities.
Training: Ensure relevant employees are aware of the law relating to MLTPF, the requirements of data protection, regularly given training in how to recognise and deal with transactions and other activities or situations which may be related to MLTPF, maintain a record of the training given.
Customer due diligence: Outline the policy of the practice surrounding due diligence requirements and risk appetite. The process should set out the CDD process that the practice will go through to onboard a client.
Where additional checks exist to mitigate against non-standard risks (Enhanced Due Diligence, EDD), the circumstances that they should be used should be identified.
What should risk management practices cover?
Risk management practices; This should cover your approach to conducting: The Firm Risk Assessment (now including a risk assessment relating to proliferation financing, as well as MLTF), An individual Client Risk Assessment for each client, Reviews of the effectiveness and appropriateness of the overall MLR processes.
When must Enhanced Due Diligence be conducted?
The MLRs outline a number of situations where relevant EDD must be conducted: PEP clients, Clients identified as high risk, Where the practice discovers false or stolen identification documentation or information has been provided and the practice intends to continue their business relationship, Where transactions are complex, unusually large or form part of an unusual pattern, Where the transaction has no apparent economic or legal purpose, In any circumstance which, by its nature, can present a higher risk of MLTPF.
What are common issues and omissions?
Some of the common issues we see are: Use of a template which is basic and has not been tailored to the practice, Documents not updated to incorporate the MLR Amendments of 2019 & 2022, No explanation about what constitutes reasonable grounds for Simplified and Enhanced Due Diligence, Not documenting that an engagement will be refused where the client refuses to provide CDD or if CDD information cannot be confirmed, No detail regarding how record retention is managed within the practice, For practices with staff – no internal SAR reporting procedure.