The 2017 Regulations require firms in the regulated sector to implement AML compliance programs with the following components:
Risk assessment. Firms must take steps to identify and assess money laundering risks, which usually includes keeping a written record of the risk assessment.
Customer due diligence. Firms must generally carry out customer due diligence measures when establishing a business relationship or carrying out certain transactions.
Policies and procedures. Regulated firms must establish and maintain policies and procedures designed to mitigate the risks of money laundering, including customer due diligence, risk management, internal controls, reporting, and recordkeeping. Policies and procedures must be proportionate to the nature and size of the firm, and be approved by senior management.
If the firm has subsidiaries or branches located outside the EU and in a country that does not impose anti-money laundering requirements as strict as those in the UK, the parent entity must ensure that the subsidiaries and branches apply measures equivalent to those required by the 2017 Regulations, insofar as this is permitted under local law.
Training. Regulated firms must take appropriate measures to ensure that relevant employees are made aware of the law relating to money laundering, terrorist financing, and data protection, and are regularly trained in how to recognize and deal with transactions that may be related to money laundering or terrorist financing.
Internal controls. Where appropriate given the size and nature of their business, regulated firms must appoint an individual who is a member of the board of directors (or of senior management) as the officer responsible for compliance with the 2017 Regulations.
Similarly, where appropriate, regulated firms must carry out screening of relevant employees, and establish an internal audit function.
For more on complying with the 2017 Regulations, see here.