Entire Act

4.3. Internal policies, procedures, systems and controls

4.3.1. Requirements of policies, procedures, systems and controls

The policies, procedures, systems and controls adopted by a Relevant Person under AML 4.1.1 must be:

  1. (a) proportionate to the nature, scale, complexity and money laundering risks of the activities of the Relevant Person’s business;
  2. (b) comprised of, at minimum, organisation of the development and maintenance of the policies, procedures, systems and controls required by AML 4.1.1:
  3. (i)risk management;
  4. (ii)customer identification;
  5. (iii)transaction monitoring and reviewing;
  6. (iv)employees training and awareness programme;
  7. (v)appropriate representation of compliance function in the management;
  8. (vi)adequate screening procedures to ensure high standards when hiring employees; and
  9. (vii)independent audit function to test the system.
  10. (c) approved by its senior management; and
  11. (d) monitored, reviewed and updated regularly.

4.3.2. Purpose of policies, procedures, systems and controls

The policies, procedures, systems and controls must provide for the identification and scrutiny of:

  1. (a) complex or unusually large transactions, or an unusual pattern of transactions;
  2. (b) transactions which have no apparent economic or legal purpose; and
  3. (c) other activity which the Relevant Person regards as particularly likely by its nature to be related to money laundering.

4.3.3. Record of policies, procedures, systems and controls

A Relevant Person must maintain a written record of the policies, procedures, systems and controls established under AML 4.1.1. The Rules regarding record-keeping for the purposes of these Rules are in AML 14.5.

Guidance on the risk based approach

  1. (a) AML 4.1.1 requires a Relevant Person to adopt an approach to AML which is proportionate to the risks inherent in its business. This is illustrated in Figure 1 below. The AFSA expects the RBA to be a key part of the Relevant Person's AML compliance culture and to cascade down from the senior management to the rest of the organisation. It requires the full commitment and support of senior management, and the active cooperation of all employees. Embedding the RBA within its business allows a Relevant Person to make decisions and allocate AML resources in the most efficient and effective way.
  2. (b) No system of checks will detect and prevent all money laundering. A RBA will, however, balance the cost burden placed on Relevant Persons and their customers, against a realistic assessment of the threat of the Relevant Person’s business being used in connection with money laundering. It will focus the effort where it is needed and will have most impact.
  3. (c) In implementing the RBA, a Relevant Person is expected to have in place processes to identify and assess money laundering risks. After the risk assessment, the Relevant Person is expected to monitor, manage and mitigate the risks in a way that is proportionate to the Relevant Person's exposure to those money laundering risks. The general principle is that where there are higher risks of money laundering, a Relevant Person is required to take enhanced measures to manage and mitigate those risks, and that, correspondingly, when the risks are lower, simplified measures are permitted.
  4. (d) The RBA discourages a "tick-box" approach to AML. Instead, a Relevant Person is required to assess relevant money laundering risks and adopt a proportionate response to such risks.
  5. (e) Unless a Relevant Person understands the money laundering risks to which it is exposed, it cannot take appropriate steps to prevent its business being used for the purposes of money laundering. Money laundering risks vary from business to business depending on the nature of the business, the type of customers a business has, and the nature of the products and services sold.
  6. (f) Relevant Persons that do not offer complex products or services and that have limited international exposure may not need an overly complex or sophisticated business risk assessment.
  7. (g) Using the RBA, a Relevant Person assesses its own vulnerabilities to money laundering and takes all reasonable steps to eliminate or manage such risks. The results of this assessment will also feed into the Relevant Person’s risk assessment of its customers (see Chapter 6).
  8. (h) Risk management is a continuous process, carried out on a dynamic basis. A money laundering risk assessment is not a one-time exercise. The AFSA expects a Relevant Person's risk management processes for managing money laundering risks are kept under regular review and that any changes made to policies, procedures, systems and controls are recorded.