Policies

As well as evidencing AML/CFT procedure documents in written form, some policies in Proofdesk also customise your workflow. By checking your team's work against the parameters set out in your policies, Proofdesk helps ensure that procedure is followed consistently.

"The Code makes clear that before any business is conducted for a customer or another person, a relevant person must have in place specified procedures and controls."

"The procedures established must all be in writing. It is not acceptable for any of the procedures to be undocumented practices or customs."

"Relevant persons must ensure that the procedures and controls they have established are operated consistently."

The Handbook 2023 Section 2.1.2

Policies in Proofdesk are customisable and versioned for a full history of reviews to procedure.

"Relevant persons must maintain these procedures ensuring that they remain fit for purpose. This will involve reviewing and testing the procedures to ensure they remain effective..."

The Handbook 2023 Section 2.1.2

Stored in Proofdesk, policies are readily accessible to team members with the appropriate grants to reference as they work. This helps to ensure procedure is more easily followed.

"These documented procedures must be understandable and appropriately accessible to all those conducting business on behalf of the relevant person in order to ensure they can be followed and standards maintained."

The Handbook 2023 Section 2.1.2


Policy Types

Configuration Policies: Record how you've configured Proofdesk to enforce your AML/CFT requirements. Based on the regulator's guidance, Proofdesk has four key types of configuration policy:

Custom Policies: Record written custom policies which do not impact the operation of the software.


Version History & Approval

Every policy is a form accompanied by its full version history, allowing organisations to demonstrate the frequency and depth of reviews made to policies.

"Relevant persons must maintain these procedures ensuring that they remain fit for purpose. This will involve reviewing and testing the procedures to ensure they remain effective..."

The Handbook 2023 Section 2.1.2

Prior to coming into effect, each new policy version must first be approved by the relevant members within the organisation. Every member of the organisation who possesses the 'Approve a policy' grant must signal their approval before the version is signed off.

"Senior management approvals should be comprehensively documented such that it is clear what procedures and controls are approved each time, as well as any considerations, analysis and rationale relevant to the approval."

The Handbook 2023 Section 2.1.2

Once approved, a policy version cannot be deleted.


Reviews

In Proofdesk when policies are reviewed, they can be assigned a "next review date". This keeps your team informed about which procedures are up for review when the time comes.

"Examples of procedures and controls to ensure risk assessments are regularly reviewed and remain relevant include, but are not limited to, the factors listed below.

  • Setting a particular date for each calendar year for a periodic BRA/TRA review to take place. Relevant persons should be aware that the first BRA and TRA may need to be reviewed on a shorter time frame than future BRAs and TRAs to assess whether the assumptions made before business commenced reflect the business that is being carried out.

  • Setting a date on a risk sensitive basis for CRA reviews to ensure new or emerging risks are included..."

The Handbook 2023 Section 2.2.6


Relevant Legislation/Guidance

The Code 2019 - 4 Procedures and controls

(1) A relevant person must not enter into or carry on a business relationship, or carry out an occasional transaction, with or for a customer or another person unless the relevant person —

(a) establishes, records, operates and maintains procedures and controls —

(i) in order to comply with each paragraph within Parts 3 to 9;

(ii) in relation to determining whether a customer, any beneficial owner, beneficiary, introducer or eligible introducer is included on the sanctions list; and

(iii) in relation to internal controls and communication matters that are appropriate for the purposes of forestalling and preventing ML/FT;

(b) takes appropriate measures for the purpose of making its employees and workers aware of —

(i) the AML/CFT legislation; and

(ii) the procedures and controls established, recorded, maintained and operated under head (a).

(2) The procedures and controls referred to in sub-paragraph (1) must —

(a) have regard to the materiality and risk of ML/FT including whether a customer, beneficial owner, beneficiary, introducer or eligible introducer poses a higher risk of ML/FT;

(b) enable the relevant person to manage and mitigate the risks of ML/FT that have been identified by the relevant person when carrying out the requirements of this Code; and

(c) be approved by the senior management of the relevant person.

(3) The ultimate responsibility for ensuring compliance with this Code is that of the relevant person, regardless of any outsourcing or reliance on third parties during the process.

The Code 2019 - 5 Business risk assessment

(1) A relevant person must carry out an assessment that estimates the risk of ML/FT posed by the relevant person’s business and customers.

(2) The business risk assessment must be —

(a) undertaken as soon as reasonably practicable after the relevant person commences business;

(b) recorded in order to demonstrate its basis; and

(c) regularly reviewed (details of any review must be recorded) and, if appropriate, amended so as to keep the assessment up-to-date.

(3) The business risk assessment must have regard to all relevant risk factors, including —

(a) the nature, scale and complexity of the relevant person’s activities;

(b) any relevant findings of the most recent National Risk Assessment relating to the Island;

(c) the products and services provided by the relevant person;

(d) the manner in which the products and services are provided, including whether the relevant person meets its customers;

(e) the involvement of any third parties for elements of the customer due diligence process, including where reliance is placed on a third party;

(f) customer risk assessments carried out under paragraph 6; and

(g) any technology risk assessment carried out under paragraph 7.

The Code 2019 - 6 Customer risk assessment

(1) A relevant person must carry out an assessment that estimates the risk of ML/FT posed by the relevant person’s customer.

(2) A customer risk assessment must be —

(a) undertaken prior to the establishment of a business relationship or the carrying out of an occasional transaction with or for that customer;

(b) recorded in order to be able to demonstrate its basis; and

(c) regularly reviewed (details of any review must be recorded) and, if appropriate, amended so as to keep the assessment up-to-date.

(3) The customer risk assessment must have regard to all relevant risk factors, including —

(a) the business risk assessment carried out under paragraph 5;

(b) the nature, scale, complexity and location of the customer’s activities;

(c) the manner in which the products and services are provided to the customer;

(d) the risk factors included in paragraph 15(5) and (7);

(e) the involvement of any third parties for elements of the customer due diligence process, including where reliance is placed on a third party;

(f) any risk assessment carried out under paragraph 9(4); and

(g) whether the relevant person and the customer have met during the business relationship, or its formation, or in the course of an occasional transaction.

The Code 2019 - 7 Technology risk assessment

(1) A relevant person must carry out an assessment that estimates the risk of ML/FT posed by any technology to the relevant person’s business.

(2) The technology risk assessment must be —

(a) undertaken as soon as reasonably practicable after the relevant person commences business;

(b) undertaken prior to the launch or implementation of new products, new business practices and delivery methods including new delivery systems;

(c) undertaken prior to the use of new or developing technologies for both new and existing products;

(d) recorded in order to be able to demonstrate its basis; and

(e) regularly reviewed (details of any review must be recorded) and, if appropriate, amended so as to keep it up-to-date.

(3) The technology risk assessment must have regard to all relevant risk factors including —

(a) technology used by the relevant person to comply with AML/CFT legislation;

(b) the business risk assessment carried out under paragraph 5;

(c) the products and services provided by the relevant person;

(d) the manner in which the products and services are provided by the relevant person, considering delivery methods, communication channels and payment mechanisms;

(e) digital information and document storage;

(f) electronic verification of documents; and

(g) data and transaction screening systems.

The Code 2019 - 9 Introduced business

(1) This paragraph applies where a customer is introduced to a relevant person by a person who provides elements of the customer due diligence (the “introducer”).

(2) The relevant person must comply with —

(a) this paragraph; and

(b) paragraph 8 or 11 (whichever is applicable).

(3) The relevant person must carry out a customer risk assessment in accordance with paragraph 6 and sub-paragraph (4).

(4) The risk assessment must include and take into account —

(a) a risk assessment of the introducer;

(b) whether the introducer has met the customer;

(c) whether any elements of customer due diligence provided by the introducer have been obtained by the introducer — (i) directly from the customer; or (ii) from any third parties; and

(d) if sub-paragraph (4)(c)(ii) applies, indicate — (i) how many third parties were involved in the process; (ii) who those third parties were; (iii) whether any of those third parties have met the customer; (iv) whether any third party is a trusted person; and (v) whether in the case of any third parties located outside of the Island, they are located in a List C jurisdiction.

(5) If the risk assessment indicates higher risk, the relevant person must undertake enhanced customer due diligence on the customer in accordance with paragraph 15 including, taking reasonable measures to establish the source of wealth of the customer and any beneficial owner of the customer.

(6) If more than one third party located outside of the Island is involved in the process, as specified in sub-paragraph (4), sub-paragraph (7) applies.

(7) Without limiting paragraph 8 or 11 (whichever is applicable), the relevant person must verify the identity of the customer using reliable, independent source documents, data or information obtained, either —

(a) directly from the customer;

(b) from the introducer, but only if the introducer has obtained such evidence of verification of identity — (i) directly from the customer; (ii) directly from a third party who has met the customer; or (b) directly from a third party who has met the customer.

(8) The relevant person must be satisfied that —

(a) any elements of customer due diligence information provided by the introducer conform to the requirements of this Code;

(b) any document, data or information used to verify the identity of the customer conform to the requirements of this Code; and

(c) there is no reason to doubt the veracity of the documents, data or information produced to verify the identity of the customer.

(9) If the relevant person cannot be satisfied as to the identity of the customer in accordance with the relevant provisions of this Code —

(a) the business relationship or occasional transaction must proceed no further;

(b) the relevant person must consider terminating that business relationship; and

(c) the relevant person must consider making an internal disclosure.

(10) For the purposes of this paragraph, a third party “involved in the process” does not include a third party in the same group as —

(a) the relevant person; or

(b) the introducer, provided that the third party is a trusted person.

(11) For the avoidance of doubt, if further elements of customer due diligence other than evidence of verification of identity are obtained by the relevant person under sub-paragraph (7) then this should be reflected in the customer risk assessment carried out in accordance with paragraph 6 and sub-paragraph (4).

Also refer to The Handbook 2023 section 2.1 through 2.2

Last updated