MLRO Annual Report
Aide memoire for the MLRO:
A suggested framework to provide information to inform the MLRO Annual Report
This document represents a suggested structure for assembling information to enable the MLRO to report on the operation and effectiveness of a firms systems and controls established to comply with the FSAs Rules.
Please read before using:
- This document is intended to be helpful to MLROs but it is not formal guidance by JMLSG.
- The FSA believes that this document may provide useful guidance to MLROs.
- The level of relevant detail will largely depend on the type and size of the relevant firm and, to this end, this outline should be used flexibly in the context of the firm.
- Some of the issues discussed in this paper may not apply, or be relevant, to a particular firm.
- It is for the MLRO to determine how much detail finds its way into the Annual Report that is presented to senior management.
Introduction and summary
- Obligation to make a report: SYSC 3.2.6G (2) G advises that an MLRO present an annual report to senior management, but does not specify the format for such a report.
- Issues that the MLRO may wish to cover in his report: The report would serve its purpose best if it focused on outcomes, rather than listing a lot of statistics ... ... In particular, it should conclude on the effectiveness of the firms AML systems and controls, and should make appropriate recommendations for improvement in the management of risks and priorities, including resources.
- Benefits of using a formalised paper to support a report: A formalised paper will allow the MLRO to evidence duties, allow him/her to take stock of the year, plan work going forward, document key AML performance and risk indicators, record the policies the firm has in place and identify key issues that should be reported up the line to senior management. For completeness, the working paper (and the MLRO Annual Report itself) should include reference to the activities of the Nominated Officer (even if he/she is the same individual as the MLRO).
- 4. On this basis, the outline in this paper could assist in the process of producing the Annual Report to be submitted to senior management (SYSC 3.2.6G (2) G). The Annual Report should be comprehensive enough for senior management to meet their responsibilities (1), although is unlikely to incorporate the level of detail that would be in this paper.
- Restrictions in making a report: If there are, or have been, any restrictions in putting this information together, these should be described.
- Executive summary: The paper discusses the following matters:
A Those within the firm responsible for AML systems and controls, and the structure within which they operate
B Report on operation of systems and controls
C Summary of business issues
D Conclusions, and recommendations for action
Annex Report on duties of Nominated Officer
(1) Senior management responsibilities are detailed in the SYSC Rules.
A: Those within the firm responsible for anti-money laundering systems and controls, and the structure within which they operate
AML Governance framework:
- Name of the specific Director or senior managers (under SYSC 3.2.6H R) with overall responsibility within the firm for the establishment and maintenance of effective anti-money laundering systems and controls.
- Where this role is not played by the MLRO, describe the demarcation of responsibilities.
- Name and location (FSA requires to be in the UK) of the MLRO and anyone to whom responsibilities have been delegated. Any other roles held by the MLRO (such as Nominated Officer under the Money Laundering Regulations, Proceeds of Crime Act and Terrorism Act) may be detailed. Relative responsibilities may be described.
- List MLRO employment dates, including delegates dates, and details of any temporary arrangements (if relevant).
- If the firm is in a group, the group MLRO structure should be described.
- Confirm responsibilities of the MLRO, in accordance with SYSC 3.2.6I R.
- Consider areas where the MLRO has been restricted from fully carrying out his functions.
- Consider whether resources to assist the MLRO function, and access to information, are sufficient.
- Name the Nominated Officer under the Money Laundering Regulations, etc.
- Refer to report on Nominated Officer's activities (Annex).
B: Report on operation of systems and controls
Areas required to be covered under SYSC 3.2.6G G:
- Appropriate staff training
- Adequacy of information to senior management
- Documentation of risk management policies and risk profiles.
- Appropriate coverage of new products; take-on of new customers; changes in business profile
- Position regarding financially excluded
- Monitoring arrangements
- Summarise the firm's policy for training, along with time frame details for any rolling programme.
- Summarise the methods of training used and quality checks performed for awareness and training.
- Indicate the number of firm relevant employees, alongside the number that have actually received money laundering training for the year in question, broken down into management, staff, temps, etc. Indicate the number of relevant employees that have not received training and provide an explanation for this.
- Consider the intended programme of training for the year ahead along with perceived budgetary considerations.
- Outline the MLRO's training (and that of relevant senior managers/directors) over the year, where different from that of other staff members.
- Consider any difficulties faced in achieving a satisfactory level of training. Indicate where improvement is sought, for management consideration.
Information to senior management
- Describe arrangements for regular reporting, indicating frequency and those individuals [and bodies] to whom reports are made.
- Describe scope and coverage of regular reports
Documentation of policies and risk assessments
- Describe arrangements for documentation of policies and risk assessments
- Describe any material changes in the period to documented policies and risk assessments
- Given SYSC 3.2.6E G, it would be helpful to say something about how the firm uses the JMLSG Guidance.
- Comment on any regulatory/legislative changes during the period, and an indication of any known forthcoming ones, and their impact on the firm's policy and risk management processes.
- Describe how guidance and information from different sources (SOCA, FATF, etc) were taken into account.
- This section may in practice require some high level summarising, and cross referring to other documents.
New products etc
- Confirm compliance with SYSC 3.2.6G(4) G
- Describe the firm's new product approval process
- Describe arrangements for dealing with customers who are, or may be, financially excluded
- Provide any available useful data on the use of these arrangements.
Arrangements for monitoring effectiveness of systems and controls
- Describe arrangements for ensuring that the firm's systems and controls cover the areas required by SYSC 3.2.6G G
- Describe arrangements for MLRO review of firm's compliance with systems and controls
C: Summary of business issues
- Outline the business operations covered by the firm over the last year, indicating changes in activity and elements of the business that have had implications for money laundering controls. For example, this could include overseas and/or non-regulated entities that have an impact on the regulated firm's compliance with the Rules.
- Consider any other issues relevant to the firm's business here.
Customers and CDD processes
- Summarise the type and size of customer base over the last year by business areas. For example, distinguish between new customers in each business area, countries of origin, percentage increase/decrease compared with last year, and anything unusual.
- Information on the firm's PEPs policies and procedures, and the number of known PEPs with whom the firm maintains a business relationship.
- Describe the firm's arrangements for sanctions compliance e.g., What lists it uses? Frequency of checks? Who is checked, e.g. beneficiaries, signatories; old customers/new customers? What sorts of payments are checked? What is the position in subsidiaries, branches etc overseas?
- Summarise relationships where identification and due diligence has not been conducted directly by the firm (i.e. third parties, introducing brokers, etc.).
- Outline the procedures for being satisfied that introducers may be 'relied' upon.
- Highlight the methods used for identification verification. Exceptions to customer identification policies (i.e., financial exclusion) may also be considered here (if it doesn't duplicate previous text).
- Summarise how individual high-risk customers are dealt with.
- Describe how additional KYC information is collected under the risk-based approach, and how it is updated.
- Describe the firm's arrangements for monitoring transactions.
- Summarise product range and risks
- Geographical area(s) of operation and risks
- Delivery channels and risks
- Note the format and location of record keeping and any intentions to change this.
- Describe any material control failures identified during the period, and the actions taken to address these.
Court Orders, etc
- Consider the numbers and brief circumstance of Production and other Orders served (if related to money laundering cases).
- A discussion of compliance with court orders, and lessons learned from them.
D: Conclusions and recommendations for action
Conclusion: Overall assessment of systems and controls
- Are they comprehensive and proportionate? (SYSC 3.2.6A R)
- Have they been reviewed regularly? (SYSC 3.2.6C R) (SYSC 3.2.6A R)
- Summarise details of any material control failures identified, including the identification of issues which may amount to rule breaches, and any remedial action taken
- Effectiveness of transaction monitoring processes?
Recommendations for Action
- Describe in order of priority areas for remedial/preventative action, the action deemed necessary, and an expected timeframe for completion. Note any other recommendations to senior management.
- Comment on adequacy of resources
Annex: Report on duties of Nominated Officer
Suspicious transaction reporting
- Outline the method used to identify suspicious transactions (i.e. system monitoring, case-by-case basis) and consider any shortcomings with this process. Summarise any other ways that suspicions arose.
- If available from SOCA, some peer group comparisons and analyse/explain similarities and differences.
- Highlight improvement /enhancements/ system upgrades deemed necessary.
- Summarise the number of internal reports made by business area. Distinguish between the number of reports picked up by central monitoring units and staff.
- Number of 'false positives' generated where internal reports were not forwarded to SOCA. Whether this has increased or decreased since the last report.
- Summarise the circumstances that may have led to increased/decreased reporting and consider any significant trends in reporting.
- Summarise any quality checks that are made by the Nominated Officer in the area of reporting.
- Note whether there have been any money laundering cases that have arisen where reports have not been made.
- Provide a breakdown by business area of reports passed on to SOCA, and the number of reports that have not been made.
- Consider any significant trends in reporting that might require the Nominated Officer to change system parameters for suspicious transaction reporting. Indicate whether such changes have been actioned or are requested.
- Any feedback from SOCA on reporting, individually or by sector.
Senior management responsibilities are detailed in the SYSC Rules