Policies

(1) A relevant person must not enter into or carry on a business relationship, or carry out an occasional transaction, with or for a customer or another person unless the relevant person —

(a) establishes, records, operates and maintains procedures and controls —

(i) in order to comply with each paragraph within Parts 3 to 9;

(ii) in relation to determining whether a customer, any beneficial owner, beneficiary, introducer or eligible introducer is included on the sanctions list; and

(iii) in relation to internal controls and communication matters that are appropriate for the purposes of forestalling and preventing ML/FT;

(b) takes appropriate measures for the purpose of making its employees and workers aware of —

(i) the AML/CFT legislation; and

(ii) the procedures and controls established, recorded, maintained and operated under head (a).

(2) The procedures and controls referred to in sub-paragraph (1) must —

(a) have regard to the materiality and risk of ML/FT including whether a customer, beneficial owner, beneficiary, introducer or eligible introducer poses a higher risk of ML/FT;

(b) enable the relevant person to manage and mitigate the risks of ML/FT that have been identified by the relevant person when carrying out the requirements of this Code; and

(c) be approved by the senior management of the relevant person.

(3) The ultimate responsibility for ensuring compliance with this Code is that of the relevant person, regardless of any outsourcing or reliance on third parties during the process.

(1) A relevant person must carry out an assessment that estimates the risk of ML/FT posed by the relevant person’s business and customers.

(2) The business risk assessment must be —

(a) undertaken as soon as reasonably practicable after the relevant person commences business;

(b) recorded in order to demonstrate its basis; and

(c) regularly reviewed (details of any review must be recorded) and, if appropriate, amended so as to keep the assessment up-to-date.

(3) The business risk assessment must have regard to all relevant risk factors, including —

(a) the nature, scale and complexity of the relevant person’s activities;

(b) any relevant findings of the most recent National Risk Assessment relating to the Island;

(c) the products and services provided by the relevant person;

(d) the manner in which the products and services are provided, including whether the relevant person meets its customers;

(e) the involvement of any third parties for elements of the customer due diligence process, including where reliance is placed on a third party;

(f) customer risk assessments carried out under paragraph 6; and

(g) any technology risk assessment carried out under paragraph 7.

(1) A relevant person must carry out an assessment that estimates the risk of ML/FT posed by the relevant person’s customer.

(2) A customer risk assessment must be —

(a) undertaken prior to the establishment of a business relationship or the carrying out of an occasional transaction with or for that customer;

(b) recorded in order to be able to demonstrate its basis; and

(c) regularly reviewed (details of any review must be recorded) and, if appropriate, amended so as to keep the assessment up-to-date.

(3) The customer risk assessment must have regard to all relevant risk factors, including —

(a) the business risk assessment carried out under paragraph 5;

(b) the nature, scale, complexity and location of the customer’s activities;

(c) the manner in which the products and services are provided to the customer;

(d) the risk factors included in paragraph 15(5) and (7);

(e) the involvement of any third parties for elements of the customer due diligence process, including where reliance is placed on a third party;

(f) any risk assessment carried out under paragraph 9(4); and

(g) whether the relevant person and the customer have met during the business relationship, or its formation, or in the course of an occasional transaction.

(1) A relevant person must carry out an assessment that estimates the risk of ML/FT posed by any technology to the relevant person’s business.

(2) The technology risk assessment must be —

(a) undertaken as soon as reasonably practicable after the relevant person commences business;

(b) undertaken prior to the launch or implementation of new products, new business practices and delivery methods including new delivery systems;

(c) undertaken prior to the use of new or developing technologies for both new and existing products;

(d) recorded in order to be able to demonstrate its basis; and

(e) regularly reviewed (details of any review must be recorded) and, if appropriate, amended so as to keep it up-to-date.

(3) The technology risk assessment must have regard to all relevant risk factors including —

(a) technology used by the relevant person to comply with AML/CFT legislation;

(b) the business risk assessment carried out under paragraph 5;

(c) the products and services provided by the relevant person;

(d) the manner in which the products and services are provided by the relevant person, considering delivery methods, communication channels and payment mechanisms;

(e) digital information and document storage;

(f) electronic verification of documents; and

(g) data and transaction screening systems.

(1) This paragraph applies where a customer is introduced to a relevant person by a person who provides elements of the customer due diligence (the “introducer”).

(2) The relevant person must comply with —

(a) this paragraph; and

(b) paragraph 8 or 11 (whichever is applicable).

(3) The relevant person must carry out a customer risk assessment in accordance with paragraph 6 and sub-paragraph (4).

(4) The risk assessment must include and take into account —

(a) a risk assessment of the introducer;

(b) whether the introducer has met the customer;

(c) whether any elements of customer due diligence provided by the introducer have been obtained by the introducer — (i) directly from the customer; or (ii) from any third parties; and

(d) if sub-paragraph (4)(c)(ii) applies, indicate — (i) how many third parties were involved in the process; (ii) who those third parties were; (iii) whether any of those third parties have met the customer; (iv) whether any third party is a trusted person; and (v) whether in the case of any third parties located outside of the Island, they are located in a List C jurisdiction.

(5) If the risk assessment indicates higher risk, the relevant person must undertake enhanced customer due diligence on the customer in accordance with paragraph 15 including, taking reasonable measures to establish the source of wealth of the customer and any beneficial owner of the customer.

(6) If more than one third party located outside of the Island is involved in the process, as specified in sub-paragraph (4), sub-paragraph (7) applies.

(7) Without limiting paragraph 8 or 11 (whichever is applicable), the relevant person must verify the identity of the customer using reliable, independent source documents, data or information obtained, either —

(a) directly from the customer;

(b) from the introducer, but only if the introducer has obtained such evidence of verification of identity — (i) directly from the customer; (ii) directly from a third party who has met the customer; or (b) directly from a third party who has met the customer.

(8) The relevant person must be satisfied that —

(a) any elements of customer due diligence information provided by the introducer conform to the requirements of this Code;

(b) any document, data or information used to verify the identity of the customer conform to the requirements of this Code; and

(c) there is no reason to doubt the veracity of the documents, data or information produced to verify the identity of the customer.

(9) If the relevant person cannot be satisfied as to the identity of the customer in accordance with the relevant provisions of this Code —

(a) the business relationship or occasional transaction must proceed no further;

(b) the relevant person must consider terminating that business relationship; and

(c) the relevant person must consider making an internal disclosure.

(10) For the purposes of this paragraph, a third party “involved in the process” does not include a third party in the same group as —

(a) the relevant person; or

(b) the introducer, provided that the third party is a trusted person.

(11) For the avoidance of doubt, if further elements of customer due diligence other than evidence of verification of identity are obtained by the relevant person under sub-paragraph (7) then this should be reflected in the customer risk assessment carried out in accordance with paragraph 6 and sub-paragraph (4).