Custom Policies | Help Centre

Aside from , there are many other examples of policies, procedures and other written documents that might make up an organisation's AML/CFT compliance.

Custom policies are entirely free form documents that don't configure settings or impact other areas of the software. By utilising custom policies, organisations can take advantage or Proofdesk's version history and approval features to demonstrate the existence and review of additional documents.

Examples of custom policies that could be included:

Business Risk Assessment
Technology Risk Assessment
Other AML/CFT Procedures

"Relevant persons must ensure they have a thorough understanding of the ML/FT risks they are exposed to. To this end, relevant persons must establish procedures and controls for BRA, customer (“CRA”) and technology risk assessments (“TRAs”), which must be recorded. The relevant person must operate these procedures and controls, meaning they must undertake the relevant risk assessments according to those procedures."

Section 2.1.2

An organisation can have many Custom Policy .

The content of a custom policy can be written directly in Proofdesk or uploaded as a .pdf file.

In Proofdesk when custom policies are reviewed, they can be assigned a "next review date". This keeps your team informed about which procedures are up for review when the time comes.

"Examples of procedures and controls to ensure risk assessments are regularly reviewed and remain relevant include, but are not limited to, the factors listed below.
Setting a particular date for each calendar year for a periodic BRA/TRA review to take place. Relevant persons should be aware that the first BRA and TRA may need to be reviewed on a shorter time frame than future BRAs and TRAs to assess whether the assumptions made before business commenced reflect the business that is being carried out..."

Section 2.2.6

Relevant Legislation/Guidance

- 4 Procedures and controls

(1) A relevant person must not enter into or carry on a business relationship, or carry out an occasional transaction, with or for a customer or another person unless the relevant person —

(a) establishes, records, operates and maintains procedures and controls —

(i) in order to comply with each paragraph within Parts 3 to 9;

(ii) in relation to determining whether a customer, any beneficial owner, beneficiary, introducer or eligible introducer is included on the sanctions list; and

(iii) in relation to internal controls and communication matters that are appropriate for the purposes of forestalling and preventing ML/FT;

(b) takes appropriate measures for the purpose of making its employees and workers aware of —

(i) the AML/CFT legislation; and

(ii) the procedures and controls established, recorded, maintained and operated under head (a).

(2) The procedures and controls referred to in sub-paragraph (1) must —

(a) have regard to the materiality and risk of ML/FT including whether a customer, beneficial owner, beneficiary, introducer or eligible introducer poses a higher risk of ML/FT;

(b) enable the relevant person to manage and mitigate the risks of ML/FT that have been identified by the relevant person when carrying out the requirements of this Code; and

(3) The ultimate responsibility for ensuring compliance with this Code is that of the relevant person, regardless of any outsourcing or reliance on third parties during the process.

- 5 Business risk assessment

(1) A relevant person must carry out an assessment that estimates the risk of ML/FT posed by the relevant person’s business and customers.

(2) The business risk assessment must be —

(a) undertaken as soon as reasonably practicable after the relevant person commences business;

(b) recorded in order to demonstrate its basis; and

(c) regularly reviewed (details of any review must be recorded) and, if appropriate, amended so as to keep the assessment up-to-date.

(3) The business risk assessment must have regard to all relevant risk factors, including —

(a) the nature, scale and complexity of the relevant person’s activities;

(b) any relevant findings of the most recent National Risk Assessment relating to the Island;

(d) the manner in which the products and services are provided, including whether the relevant person meets its customers;

(e) the involvement of any third parties for elements of the customer due diligence process, including where reliance is placed on a third party;

(f) customer risk assessments carried out under paragraph 6; and

(g) any technology risk assessment carried out under paragraph 7.

- 7 Technology risk assessment

(1) A relevant person must carry out an assessment that estimates the risk of ML/FT posed by any technology to the relevant person’s business.

(2) The technology risk assessment must be —

(a) undertaken as soon as reasonably practicable after the relevant person commences business;

(b) undertaken prior to the launch or implementation of new products, new business practices and delivery methods including new delivery systems;

(d) recorded in order to be able to demonstrate its basis; and

(e) regularly reviewed (details of any review must be recorded) and, if appropriate, amended so as to keep it up-to-date.

(3) The technology risk assessment must have regard to all relevant risk factors including —

(a) technology used by the relevant person to comply with AML/CFT legislation;

(b) the business risk assessment carried out under paragraph 5;

(d) the manner in which the products and services are provided by the relevant person, considering delivery methods, communication channels and payment mechanisms;

(e) digital information and document storage;

(f) electronic verification of documents; and

(g) data and transaction screening systems.

Also refer to section 2.1 through 2.2