Policies, controls and procedures
19.—(1) A relevant person must—
(a)establish and maintain policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing identified in any risk assessment undertaken by the relevant person under regulation 18(1);
(b)regularly review and update the policies, controls and procedures established under sub-paragraph (a);
(c)maintain a record in writing of—
(i)the policies, controls and procedures established under sub-paragraph (a);
(ii)any changes to those policies, controls and procedures made as a result of the review and update required by sub-paragraph (b); and
(iii)the steps taken to communicate those policies, controls and procedures, or any changes to them, within the relevant person’s business.
(2) The policies, controls and procedures adopted by a relevant person under paragraph (1) must be—
(a)proportionate with regard to the size and nature of the relevant person’s business, and
(b)approved by its senior management.
(3) The policies, controls and procedures referred to in paragraph (1) must include—
(a)risk management practices;
(b)internal controls (see regulations 21 to 24);
(c)customer due diligence (see regulations 27 to 38);
(d)reliance and record keeping (see regulations 39 to 40);
(e)the monitoring and management of compliance with, and the internal communication of, such policies, controls and procedures.
(4) The policies, controls and procedures referred to in paragraph (1) must include policies, controls and procedures—
(a)which provide for the identification and scrutiny of—
(i)any case where—
(aa)a transaction is complex and unusually large, or there is an unusual pattern of transactions, and
(bb)the transaction or transactions have no apparent economic or legal purpose, and
(ii)any other activity or situation which the relevant person regards as particularly likely by its nature to be related to money laundering or terrorist financing;
(b)which specify the taking of additional measures, where appropriate, to prevent the use for money laundering or terrorist financing of products and transactions which might favour anonymity;
(c)which ensure that when new technology is adopted by the relevant person, appropriate measures are taken in preparation for, and during, the adoption of such technology to assess and if necessary mitigate any money laundering or terrorist financing risks this new technology may cause;
(d)under which anyone in the relevant person’s organisation who knows or suspects (or has reasonable grounds for knowing or suspecting) that a person is engaged in money laundering or terrorist financing as a result of information received in the course of the business or otherwise through carrying on that business is required to comply with—
(i)Part 3 of the Terrorism Act 2000(1); or
(ii)Part 7 of the Proceeds of Crime Act 2002(2);
(e)which, in the case of a money service business that uses agents for the purpose of its business, ensure that appropriate measures are taken by the business to assess—
(i)whether an agent used by the business would satisfy the fit and proper test provided for in regulation 58; and
(ii)the extent of the risk that the agent may be used for money laundering or terrorist financing.
(5) In determining what is appropriate or proportionate with regard to the size and nature of its business, a relevant person may take into account any guidance which has been—
(a)issued by the FCA; or
(b)issued by any other supervisory authority or appropriate body and approved by the Treasury.
(6) A relevant person must, where relevant, communicate the policies, controls and procedures which it establishes and maintains in accordance with this regulation to its branches and subsidiary undertakings which are located outside the United Kingdom.