⚠️
The notice is very interesting, not only for the lessons it holds for those seeking registration (including outside of the UK), but also because these same failings can often be found in registered firms we have dealt with as part of our Skilled Person work. Take note and avoid these mistakes:➡️ Business-Wide Risk Assessment
- The MLRs cite five risk factors (customer, jurisdiction, product/services, transactions, delivery channel): consider all of them.
- The methodology used must be clear in how ratings for inherent and residual risks, as well as control effectiveness, are assessed.
- List inherent risks, not controls (e.g. "EDD Requests", "SARs") or control failings ("lack of robust TM").
- Consider National Risk Assessments, that's why they're explicitly listed in teh MLRs.
➡️ Customer Risk Assessment
- Customers must be assessed against all five risk factors to give a holistic view of risk.
- The methodology must have appropriate weightings to arrive at the customer's overall score, and be supplemented by relevant lists (countries, industries, products/services).
- Ensure all the triggers in regulation are considered (e.g. customer or party to a transaction established in a high-risk third country)
- Ensure all requirements in regulation are considered (e.g. Source of Funds AND Source of Wealth for high-risk customers)
- Clearly describe the process for reporting suspicions to the Nominated Officer, including necessary information
- Describe the process for DAML requests
⚠️ Regulators have intentionally set the bar high for approving registration and licensing applications, to ensure approved firms have at least designed their compliance programs in an appropriate way. Make sure you understand those requirements and get professional advice. These were all very avoidable failures and one can suspect that perceived cost and time savings played a role in not getting it (or going for a low-quality option) and it spectacularly backfired.