How can the JMLSG guidance help FCA-regulated firms?

The Joint Money Laundering Steering Group has produced guidance on the prevention of money laundering for the UK financial sector.

What is JMLSG Guidance?

JMLSG’s Guidance is aimed at both firms: (i) in sectors represented by its members (comprising a number of UK Trade Associations) and (ii) regulated by the Financial Conduct Authority (FCA). 

There are a plethora of ways the guidance can assist those in the financial sector. However, two key areas are: providing an overview of the requirements for undertaking risk assessments and CDD. 

AML risk assessments 

Chapter 4 of the guidance is entitled the “Risk-based approach”, and sets out an overview on how to comply with certain obligations, such as: 

  • Identifying and assessing the risks of money laundering and terrorist financing which a business is subject to
  • Putting in place appropriate systems and controls to reflect the risks identified 

Whilst the risk-based approach includes identifying and assessing the business risks faced by a firm in general, a key part of this chapter also focuses on the customer-specific risk assessments which should be undertaken. In an annex to the guidance, there is a list of the factors which should be taken into account when assessing the risk posed by a particular customer. These are: 

1. Customer risk factors

Such as the sectors the customer operates in, whether they are a politically exposed person (or PEP), their reputation, and their general nature and behaviour. 

2. Countries and geographic areas factors 

This includes the jurisdiction in which the customer is based, as well as where they do business and have other links.

3. Products, services and transactions risk factors

This includes the level of transparency a transaction affords, the complexity of the product, and the value and size of the transaction.

4. Delivery channel risk factors 

This considers the extent to which the business relationship takes place on a face-to-face basis, and whether there are any introducers or intermediaries involved.

With all of these factors, new information can come to light throughout the course of a business relationship. Accordingly, firms should have measures in place to ensure risk assessments are monitored and updated when needed. 

Customer due diligence (CDD) 

In chapter 5, the guidance sets out the elements which should be involved when undertaking CDD:

  • Identifying and verifying a customer’s identity
  • Identifying any beneficial owners and verifying those identities (where relevant) 
  • Assessing the intended nature of the business relationship

Before providing an overview of the information to be collected on different types of customer, the guidance explains the necessity of CDD. One reason is that CDD and ongoing monitoring “make it more difficult for the financial services industry to be used for money laundering or terrorist financing”. It is also the case that firms “need to know who their customers are to guard against… money laundering and terrorist financing”.

We mentioned above the importance of keeping risk assessments up to date. This is also vital for CDD information, which is why the guidance emphasises the need to conduct ongoing monitoring, ensuring transactions are scrutinised, and that CDD doesn’t just take place when onboarding new customers. 

How can Omnitrack help?

Screenshot of FCA Omnitrack use case
Our customisable dashboard gives a complete view of all submissions, red flags and any further action that is required

Omnitrack is VinciWorks’ data collection and reporting tool, which is used by our clients for a range of compliance needs. The AML onboarding solution includes a client onboarding workflow specifically designed for FCA-regulated firms. The system incorporates best practice, with both the CDD information required for different client entities, as well as the different factors in the risk assessment, reflecting the industry best practice. However, it is also a flexible solution, allowing you to take a risk-based approach, and tailor the workflow to your firm’s needs. 

The workflow can aid you throughout the customer onboarding process and includes: 

  • CDD – collecting and storing identity documents, as well as noting evidence used to verify customers’ identities.  
  • Analysing and recording customers’ sources of wealth 
  • Risk assessments – conditional logic means the information collected in the first two stages prompts users when assigning customer risk levels 
How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.