Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2018

Internal policies, controls and procedures

26. The Act of 2010 is amended by the substitution of the following section for section 54:

54. (1) A designated person shall adopt internal policies, controls and procedures in relation to the designated person’s business to prevent and detect the commission of money laundering and terrorist financing.

(2) In particular, a designated person shall adopt internal policies, controls and procedures to be followed by any persons involved in carrying out the obligations of the designated person under this Part.

(3) The internal policies, controls and procedures referred to in subsection (1) shall include policies, controls and procedures dealing with—

(a) the identification, assessment, mitigation and management of risk factors relating to money laundering or terrorist financing,

(b) customer due diligence measures,

(c) monitoring transactions and business relationships,

(d) the identification and scrutiny of complex or large transactions, unusual patterns of transactions that have no apparent economic or visible lawful purpose and any other activity that the designated person has reasonable grounds to regard as particularly likely, by its nature to be related to money laundering or terrorist financing,

(e) measures to be taken to prevent the use for money laundering or terrorist financing of transactions or products that could favour or facilitate anonymity,

(f) measures to be taken to prevent the risk of money laundering or terrorist financing which may arise from technological developments including the use of new products and new practices and the manner in which services relating to such developments are delivered,

(g) reporting (including the reporting of suspicious transactions),

(h) record keeping,

(i) measures to be taken to keep documents and information relating to the customers of that designated person up to date,

(j) measures to be taken to keep documents and information relating to risk assessments by that designated person up to date,

(k) internal systems and controls to identify emerging risks and keep business-wide risk assessments up to date, and

(l) monitoring and managing compliance with, and the internal communication of, these policies, controls and procedures.

(4) A designated person shall ensure that policies, controls and procedures adopted in accordance with this section are approved by senior management and shall keep such policies, controls and procedures under review, in particular when there are changes to the business profile or risk profile of the designated person.

(5) In preparing internal policies, controls and procedures under this section, the designated person shall have regard to any guidelines on preparing, implementing and reviewing such policies and procedures that are issued by the competent authority for that designated person.

(6) A designated person shall ensure that persons involved in the conduct of the designated person’s business are—

(a) instructed on the law relating to money laundering and terrorist financing, and

(b) provided with ongoing training on identifying a transaction or other activity that may be related to money laundering or terrorist financing, and on how to proceed once such a transaction or activity is identified.

(7) A designated person shall appoint an individual at management level, (to be called a ‘compliance officer’) to monitor and manage compliance with, and the internal communication of, internal policies, controls and procedures adopted by the designated person under this section if directed in writing to do so by the competent authority for that designated person.

(8) A designated person shall appoint a member of senior management with primary responsibility for the implementation and management of anti-money laundering measures in accordance with this Part if directed in writing to do so by the competent authority for that designated person.

(9) A designated person shall undertake an independent, external audit to test the effectiveness of the internal policies, controls and procedures outlined in this section if directed in writing to do so by the competent authority for that designated person.

(10) A reference in this section to persons involved in carrying out the obligations of the designated person under this Part includes a reference to directors and other officers, and employees, of the designated person.

(11) The obligations imposed on a designated person under this section do not apply to a designated person who is an employee of another designated person.

(12) Subsections (6), (7), (8), and (9) do not apply to a designated person who is an individual and carries on business alone as a designated person.

(13) A competent authority shall not issue a direction for the purposes of subsection (7), (8) or (9) unless it is satisfied that, having regard to the size and nature of the designated person, it is appropriate to do so.

(14) A competent authority may make a direction to a class of designated persons for whom it is the competent authority for the purposes of subsection (7), (8) and (9).

(15) A designated person who fails to comply with this section commits an offence and is liable—

(a) on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months (or both), or

(b) on conviction on indictment, to a fine or imprisonment for a term not exceeding 5 years (or both).”.