Money Laundering: Revised Guidance from JMLSG Published

June 2006

The Joint Money Laundering Steering Group (JMLSG) has issued an update on its guidance for UK financial services firms. The document is entitled "Revised Guidance for the UK Financial Sector of the Joint Money Laundering Steering Group in the Prevention of Money Laundering".

This summary sets out the standard guidance for managing the money laundering and financing of terrorism risks, which are applicable throughout all sectors of the financial services sector. Additional guidance on specific risks faced by various industry sectors, and the manner in which these should be addressed, is set out in our specific sectoral guidance.

1. INTRODUCTION

   Money Laundering Regulations were first introduced in the UK in 1993, with a substantial consolidation being given effect to by the Proceeds of Crime Act 2002 (POCA) that also served to update and reform the law relating to dealing with criminal property. The Terrorism Act 2000 introduced further specific obligations to combat terrorist financing. Guidance relating to these Regulations is set out in the ML section of the FSA Handbook and the 2006 Joint Money Laundering Steering Group (JMLSG) Guidance notes for the UK Financial Sector. They are supplemented by the Serious and Organised Crime and Police Act 2005 (SOCPA) which came into force in April 2006. This extended and amended some of the key powers and obligations under POCA. It also created the Serious and Organised Crime Agency (SOCA).

2. THE NEW RISK-BASED APPROACH

   In a major overhaul of the focus of the application of the anti-money laundering legislation, the FSA requirements, contained in the ML section of the FSA Handbook, will be deleted from 31st August 2006 and will be replaced by high-level provisions in the SYSC section of the Handbook. In addition, revised JMLSG guidance for the financial services industry was published on 3rd March 2006. It is stressed that neither this guidance, nor the analysis of it set out below, should be used unthinkingly as a checklist of steps to take to ensure compliance. Rather, they should be used as a guide to matters which may require consideration in the management of firms' risk so as to enable systems and procedures to be developed that are proportionate and appropriate to address those risks.

   The purpose of the changes is not to reduce firms' obligations in relation to ML, nor to reduce the required standards. Instead, they are intended to give firms the flexibility to structure their response specifically to the money laundering risks faced by their particular sector of the industry. This will ensure maximum cost efficiency by enabling firms to put in place systems and procedures that are appropriate and proportionate to the specific risks identified. In addition, it introduces a new standardised approach to the identification and verification of customers and also provides guidance on the monitoring of customer activity.

   Whilst firms may choose to comply with the revised standards with immediate effect, a transitional period of 6 months until 31st August 2006 has been granted to provide firms with the time to address and implement the changes that may be appropriate for their organisation.

   In addition the guidelines draw heavily on the requirement for senior management responsibility and buy-in, firms need to ensure that senior management is fully engaged in the decision making process and that they take ownership of the risk-based approach.

3. REPLACEMENT OF THE NATIONAL CRIMINAL INTELLIGENCE SERVICE (NCIS) WITH THE SERIOUS ORGANISED CRIME AGENCY (SOCA).

   The Serious Organised Crime Agency (SOCA) is the new law enforcement agency, effective from 3rd April 2006, which has been created to reduce the harm caused to people and communities in the UK by serious organised crime.

   It takes over the functions of the National Crime Squad (NCS), the National Criminal Intelligence Service (NCIS), the role of HMRC in investigating drug trafficking and related criminal finance and some of the functions of the UK Immigration Service (UKIS) in dealing with organised immigration crime.

   These changes have significant relevant implications for this money laundering guidance specifically in the form of the revisions to the reporting requirement and requests for approval to deal, for which the new SOCA has a dedicated unit.

4. WHAT IS MONEY LAUNDERING?

   Forms of Money Laundering include:

   • Classic Money Laundering - i.e. the attempt to 'clean' money received as the proceeds of crime;
   • Handling Stolen Goods;
   • Handling money which is the benefit of other crime e.g. tax evasion or fraud;
   • Direct involvement with any terrorist or criminal property; and
   • Investment of the proceeds of crime in financial products.

   Offences relating to Money Laundering include:

   • Knowingly assisting in concealing, or entering into arrangements for the acquisition, use, and/or possession of, criminal property;
   • Failing to report knowledge, suspicion, or where there are reasonable grounds for believing that another person is engaged in Money Laundering; and
   • Tipping off or prejudicing an investigation.

5. STATUS OF THE GUIDANCE

   Whilst the guidance issued is not actually encompassed in legislation or the FSA rulebook (other than by way of high level standards), firms should be aware that SOCPA and the Terrorism Act require a Court to take into account whether Treasury approved guidance has been complied with when considering whether or not an offence has been committed. In addition the FSA will consider whether the provisions contained in the guidance have been adhered to when considering whether to take disciplinary action against a firm for breaches of the relevant provisions of SYSC. It is therefore important that, whilst the guidance encourages a risk-based approach, which as such gives firms flexibility in the development of their procedures, firms will need to ensure that they are in a position to provide an audit trail of the process they went through in determining their policies and procedures.

A GUIDE TO THE NEW GUIDANCE

The revised guidance sets out guidance on the following:

1. Senior Management Responsibility;
2. Internal Controls;
3. Money Laundering Reporting Officer (MLRO);
4. Risk-Based Approach;
5. Customer Due Diligence;
6. Monitoring Customer Activity;
7. Suspicious Activities, Reporting and Data Protection;
8. Staff Awareness, Training and Alertness; and
9. Record Keeping.

1. SENIOR MANAGEMENT RESPONSIBILITY

   1.1. Processes, Procedures, Systems and Controls

   It is the responsibility of senior management to ensure that the firm's control processes and procedures are appropriately designed, implemented and operated to reduce the risk of the firm being used in Money Laundering or terrorist financing. The new high-level requirement changes the approach to how Money Laundering and terrorist financing risks are addressed.

   Senior Management:

   • Need to be fully engaged in the process, including the conduct of the risk assessment and the design and implementation of the procedures;
   • Must take ownership of the risk-based approach; and
   • Will be held accountable if the approach is inadequate.

   Failure to comply can result in a prison term of up to 2 years and/or a fine.

   A statement of the firm's policies and procedures with regard to Money Laundering and combating of the financing of terrorism should be produced to:

   • Provide direction for the firm and its staff;
   • Delegate responsibilities;
   • Set out the process used to identify the risks faced and the manner in which these risks are to be addressed.

   1.2. Money Laundering Reporting Officer (MLRO)

   It is the responsibility of the senior management of FSA regulated firms (except general insurance firms and mortgage intermediaries) to appoint a director or senior manager with sufficient level of seniority as the MLRO. The MLRO will have overall responsibility for the establishment and maintenance of the firm's anti-money laundering systems and controls, providing direction and oversight to the strategy and approving the systems and controls to be implemented. General insurance firms and mortgage intermediaries are not required to appoint an MLRO but should be aware that if they do so then they will be subject to the reporting obligations. (Please also refer to section 3 of this guidance note.)

   1.3. Report

   The senior management of FSA regulated firms must request a report from the MLRO at least annually on the firm's compliance with its requirements under SYSC to combat financial crime. Under the new guidance it is the responsibility of senior management, subject to the minimum frequency, to determine the depth and frequency of the information necessary to discharge their responsibilities. Senior management should then consider the report and are responsible for ensuring that any deficiencies are identified and remedied in a timely fashion.

2. INTERNAL CONTROLS

   There is a high-level requirement for firms to have in place procedures of internal control and communication for the purposes of forestalling and preventing Money Laundering in relation to:

   • Customer Identification;
   • Record Keeping;
   • Reporting; and
   • Staff Awareness.

   Specifically FSA regulated firms are required to have in place systems and controls appropriate to their business and which include measures "for countering the risk that the firm might be used to further financial crime [including Money Laundering and terrorist financing]".

   In putting in place their systems and controls firms need to consider the unique set of factors relevant to their business including:

   • The nature, scale and complexity of the business;
   • Diversity of operations and geographic location;
   • Customer, product and activity profile;
   • Distribution channels;
   • Volume and size of transactions; and
   • The degree of risk associated with each area of its operation.

   In addition, FSA regulated firms are also required to cover in their systems and controls:

   • Issues of senior management accountability (see above);
   • Training on Money Laundering for relevant employees;
   • Provision of relevant information to senior management;
   • Documentation of the firm's risk management and risk profile in relation to Money Laundering; and
   • Measures to ensure that the Money Laundering risk is taken into account in the day-to-day operation of the firm including:
     • the development of new products;
     • the taking on of new customers; and
     • making changes to the firm's profile.

3. MONEY LAUNDERING REPORTING OFFICER (MLRO)

   3.1. Appointment

   There is a requirement for all FSA regulated firms, except general insurance firms and mortgage intermediaries, to appoint an MLRO who must be based in the UK.

   The MLRO is a controlled function under S.59 FSMA and as such the appointee must be approved before performing the function.

   The MLRO's job description must set out both their responsibilities and objectives, and specifically must have the authority to act independently to enable them to carry out their reporting duties in a suitable timely manner.

   3.2. MLRO Responsibility

   The MLRO is responsible for:

   • Ensuring their involvement in establishing the basis on which the firm's risk based approach model is put into practice;
   • Oversight of the firm's compliance with the FSA rules on systems and controls against Money Laundering;
   • Receiving internal Money Laundering disclosures, deciding whether these should be reported to the Serious and Organised Crime Agency (SOCA), and if so, making that report. Internal reports should be considered as soon as possible to determine whether a report needs to be made to SOCA. In making such a decision the MLRO should be given access to existing customer and relevant business information. Matters considered to require reporting to SOCA should be made promptly.
   • Overseeing the firm's anti-money laundering policies on a day-to-day basis and responding to requests made by relevant regulators for information;
   • Ensuring that adequate arrangements for awareness and training of employees are in place;
   • Monitoring the effectiveness of the firm's money laundering controls; and
   • Providing reports to senior management as commissioned by it.

4. RISK-BASED APPROACH

   The risk-based approach in the prevention of Money Laundering and terrorist financing recognises that the threat to firms depends upon their own particular circumstances and allows firms to develop and apply their own approach to the firm's procedures, systems and controls and to differentiate between customers thus producing a more cost effective system.

   The application of such a risk-based approach will require:

   • The full commitment of senior management;
   • Co-operation of all business units involving the clear communication of policies and procedures across the firm; and
   • Mechanisms to ensure that they are carried out effectively, weaknesses are identified and necessary improvements made.

   In adopting the required risk-based approach firms are required to assess the most cost-effective and proportionate way to manage and mitigate the Money Laundering and terrorist financing risks relevant to the firm. In doing this firms should:

   • Identify the money laundering and terrorist financing risks faced by the firm; and
   • Assess the risks bearing in mind the firm's:
     • customer base;
     • product types;
     • delivery channels; and
     • geographical location.

   Guidelines indicate that in identifying and assessing the risks firms should look at:

   • Customer profile;
   • Customer behaviour;
   • Manner of introduction of customer to the firm; and
   • Type of product/services used.

   Having assessed the risk that requires managing and mitigating, firms are required to:

   • Design and implement controls to address them. Such controls would include the introduction of a customer identification programme;
   • Monitor the effectiveness of the controls and make improvements where deficiencies become apparent; and
   • Keep a record of what controls have been put in place and why.

   Providing that the above approach to identifying and addressing the risk is properly undertaken and a firm can demonstrate that it has put in place an effective system of controls that identifies and mitigates its Money Laundering risk, then the FSA has indicated that enforcement action is very unlikely.

5. CUSTOMER IDENTIFICATION

   Firms are obliged to ensure that they are reasonably satisfied that customers are who they say they are. As such they are required to demonstrate due diligence in carrying out verification of client identity and to ensure that the firm would be in a position to respond to law enforcement agencies by providing necessary information on customers and/or activities being investigated.

   Firms are therefore required to:

   • Verify the customer's identity; and
   • Obtain additional appropriate Know Your Customer ((KYC) information. This will include obtaining an understanding of the customer's circumstances and business, including obtaining an idea of the expected level of transactions. There is an obligation on firms to ensure that such information is kept up to date.

   5.1. Persons who should not be accepted as Customers

   Certain persons should not be accepted as customers and an up to date consolidated list of persons to whom such sanctions apply, as maintained by the Bank of England, should be checked before acceptance as a customer. Firms should note that it is a criminal offence to make funds or financial services available to persons included on the list.

   The list can be found at www.bankofengland.co.uk/publications/financialsanctions/index.htm

   5.2. Customers whose identity need not be verified

   Customers whose identity might not need to be verified include:

   • Those specifically exempt, and this includes:
     • where the customer itself carries on financial services business which is subject to the ML regulations or is regulated by an overseas regulatory authority and is based or incorporated in a non-EEA state whose laws are comparable to EU law; or
     • a one off transaction for less than €15,000 or a one-off transaction for a third party introducer which carries on financial services business. This applies where the business is subject to the ML regulations or is regulated by an overseas regulatory authority and is based or incorporated in a non-EEA state whose laws are comparable to EU law. The exception is valid provided that the introducer supplies written evidence of the identity of the third parties introduced. This exemption will, in practice, apply where:
       • the payment to be made by or to the customer does not exceed €15,000 in total and the customer is not expected to require further services from the firm; or
       • the total funds to be deposited are known at the outset; or
       • when the proceeds of the transaction are invested for the customer, irrespective of the amount involved.

     If the customer undertakes regular or frequent transactions or the total number of transactions is unknown at the outset, the customer's identity must be verified:

     • Those with an existing relationship with the firm. This exemption applies to customers whose business relationship with the firm was established before 1st April 1994 and has continued since. It does not apply where only a one-off transaction was undertaken; and
     • Customers who come to the firm by reason of that firm's acquisition of another firm provided that:
       • all underlying customer records are acquired with the business; or
       • a warranty is given by the acquired firm that the customers identified have been verified.

   5.3. Identification and Verification

   Identification of the customer should take place as soon as reasonably practicable after first contact and should involve taking the customer's:

   • Full Name;
   • Residential Address; and
   • Date of Birth.

   Verification of the identity information provided by the customer should take place, insofar as possible, before the commencement of a business relationship.

   5.4. Form of Identity

   The form of identity required must reasonably satisfy the firm that the person exists and is who they say they are. Verification may be based either on documentation produced by the customer or by electronic verification, or a combination of the two.

   Firms can decide what forms of identity are acceptable for the transaction in question bearing in mind:

   • Product or service;
   • Existing or previous relationships;
   • Assurances from other firms; and
   • Physical presence of the customer.

   Documentation used to establish identity should be taken from the following:

   • Those issued by government departments;
   • Those issued by public sector bodies;
   • Those issued by other regulated firms or subject to ML regulations;
   • Those issued by other organisations.

   Guidance suggests that documentary verification should be based on either:

   • A government issued document which incorporates the customer's full name and photograph together with either their residential address or date of birth; or
   • A government issued document without a photograph, but which incorporates the customer's full name, supported by an additional document that is issued either by the government, a judicial authority, a public sector body or another FSA regulated firm that incorporates the customer's full name and either their residential address or date of birth.

   5.5. Electronic Verification

   Electronic verification is permissible, and should be done using, as its basis, the customer's full name, address and date of birth. Such verification may be done direct, or through a supplier. Either way, firms should ensure that they understand the basis of the system that they choose to use and that the information supplied is sufficiently extensive, reliable and accurate.

   5.6. Face-to-Face Identification and Verification

   In practice, a member of staff may also derive verification information in other ways including a visit to the customer's home. In practice therefore, for many verifications the presentation by the customers of the passport or photo card driving licence will be adequate.

   Firms are not specifically obliged to re-verify customer identity to keep it up to date, but the guidelines require firms to take steps to ensure that they hold up to date information as risk dictates. Satisfaction of this will be a judgment call for the firm based on the risk criteria addressed above.

   5.7. Non Face-to-Face Identification and Verification

   Firms should acknowledge the additional risks where identity is verified electronically or copy documents are relied upon and ensure that their systems and procedures have additional safeguards to mitigate such risks.

   5.8. Records

   A record of the steps taken, and copies of the documentation produced, to establish and verify identity must be retained by the firm.

6. MONITORING CUSTOMER ACTIVITY

   Whilst there is no specific legal requirement for firms to monitor customers' activity there is an expectation that firms will establish and maintain a suitable approach to enable the detection of suspicious activity, and as such customer activity should be monitored to enable anything unusual to be identified.

   Best practice is therefore to maintain systems and procedures to ensure that:

   • Suspicious or unusual transactions are flagged up;
   • Reports are promptly reviewed; and
   • Appropriate action is taken.

   The nature of the monitoring will again vary from firm to firm depending upon:

   • The nature of the transaction;
   • Whether it is part of a series of transactions;
   • The geographic destination, or origin of, the funds involved; and
   • The parties.

   Monitoring procedures should also include details of staff training to ensure that they are equipped to spot and deal with concerns, and know to whom they should report.

   Firms, especially those handling high volumes of transactions, should consider the use of some sort of automated service for the detection of suspicious transactions (those which are "out of the ordinary").

7. SUSPICIOUS ACTIVITIES REPORTING AND DATA PROTECTION

   7.1. Internal Reporting

   All employees working within the regulated sector are obliged to report to the MLRO (see above) where they:

   • Know (i.e. actually know something to be true, even if that knowledge is inferred); or
   • Suspect (i.e. beyond mere speculation and based on some foundation); or
   • Have reasonable grounds for knowing or suspecting (i.e. where there are demonstrated to be facts or circumstances, known to the member of staff, from which a reasonable person engaged in a business subject to the ML regulations would have inferred knowledge, or formed the suspicion that another person was engaged in Money Laundering or terrorist financing); or
   • That a person is engaged in money laundering or terrorist financing. Firms may, if they wish set up an internal procedure to enable employees to consult with line managers before making an approach to the MLRO, although the legal obligation to report the issue remains with the employee.

   The MLRO should ensure that all reports are documented, providing details of the customer about whom the report is made and a statement of information giving rise to the knowledge or suspicion.

   7.2. Consideration of Report by MLRO

   The MLRO should consider all reports made and determine whether or not it gives rise to knowledge or suspicion or reasonable grounds for knowledge or suspicion. In considering the report the MLRO must have access to all customer information and also be in a position to request additional customer information if deemed necessary (but see below regarding tipping off).

   It should be noted that that there is no duty for a report to be made in respect of an unsuccessful attempt to commit fraud, and further there is no duty to make a report where neither the identity of the person engaged in the Money Laundering is known, nor the whereabouts of any laundered property is known nor where the information available would assist in the identification of the individual concerned or the location of the laundered property.

   If a decision is made by the MLRO not to make an external report to SOCA, the reasons for not doing so should be clearly recorded and retained alongside the internal suspicion report.

   7.3. External Reporting

   If the MLRO decides that they know or suspect, or have reasonable grounds for knowing or suspecting, that the activity may be linked to Money Laundering or terrorist finance, a report must be made to SOCA as soon as possible. A guide to making a disclosure is available at http://www.soca.gov.uk/financialIntel/formsGuide.html. Links are also given to the electronic form (electronic submission is preferred) although a hard copy form is also available to download.

   7.4. Sanctions and Penalties

   Sanctions applied for failure of a member of staff to make a report as required to the MLRO, and/or for failure of the MLRO to make a report to SOCA as required, include a prison term of up to five years and /or a fine.

   7.5. Consent to Carry out a Transaction Where suspicion arises before a customer transaction has been carried out a report must be made to SOCA and consent obtained to proceed with the transaction. Where consent is not refused within 7 days from the making of the report to SOCA the firm may proceed with the transaction.

   7.6. Tipping off and Prejudicing an Investigation

   There are two separate offences of "tipping off" and "prejudicing an investigation" created by the Proceeds of Crime Act and with similar provisions also contained in the Terrorism Act.

   This means that firms cannot:

   • Tell a customer that a delay is due to consent from SOCA being awaited;
   • At a later time tell a customer that a delay was caused because a report had been made to SOCA; or
   • Tell a customer that law enforcement is conducting an investigation.

   If, however, a complaint is made to the Financial Ombudsman Service (FOS), and FOS contacts the firm regarding that complaint, then the firm should speak to the FOS legal department with which it may discuss the SOCA report.

   7.7. Subject Access Requests

   Where a subject access request is made following a suspicious transaction report being made, the documentation relating to the report may be withheld and, in addition, the customer should not be told that such information has been withheld.

8. STAFF AWARENESS, TRAINING AND ALERTNESS

   8.1. MLRO Responsibility

   The MLRO is responsible for oversight of the firm's compliance with its requirements in respect of training, including taking reasonable steps to ensure that the firm's systems and controls include appropriate training for employees in respect of Money Laundering.

   Firms should have policies in place to ensure that all relevant staff are aware of their obligations in respect of the prevention of Money Laundering and terrorist financing, which, in particular, should ensure that staff are adequately trained and alert to the risks.

   8.2. Senior Management and MLRO Obligations

   The high-level commitments contained in the FSA's sourcebook provide important background to Money Laundering training.

   These commitments are to ensure that:

   • Employees are competent;
   • Remain competent;
   • Are properly supervised;
   • Have their competence regularly reviewed; and
   • Their competence with regard to all of the above is appropriate.

   Firms also have a specific obligation under the ML regulations to "take appropriate measures in relation to staff training and awareness" of Money Laundering and terrorist financing risks, and failure to do so may leave firms open to prosecution.

   In addition to providing the training, firms should obtain a suitable acknowledgement from the employee that they have received such training and, should also ensure that the effectiveness of that training is properly assessed and any deficiencies addressed.

   8.3. What Training Should Employees Receive?

   Training should ensure that relevant employees are aware of their responsibilities in respect of the firm's policies and procedures for the prevention of Money Laundering and terrorist financing. These responsibilities should be documented in such a way that the employees are able to refer to them.

   Such training should enable employees to recognise unusual or suspicious transactions and which may give rise to reasonable grounds for suspicion. Which transactions may give rise to such suspicions will vary depending on the industry, product type and customer profile, but examples would include, amongst others:

   • Those which are uneconomic, make no sense or are unnecessarily complex;
   • Those involving non-resident accounts;
   • Unusual customer types for business area; and
   • Unusual transactions for that customer.

   Employees should also be trained to recognise issues around the identification process that may raise concerns including:

   • Refusal or reluctance to provide information;
   • Inconsistencies in information; or
   • Requests for unusually urgent completion of the transaction.

   Employees should also be trained to look out for things such as substantial increases in the amount or number of cash deposits or electronic transfers into an account.

   In addition, it should be ensured that employees are aware of:

   • The criminal law relating to Money Laundering and terrorist financing;
   • The ML Regulations;
   • Applicable FSA rules;
   • Industry guidance;
   • Risks posed by the threat;
   • How its products and services may be used for the purposes of money laundering;
   • The identity and responsibility of the MLRO; and
   • The potential effect on the firm and its employees, including the potential for criminal and regulatory sanctions, and its clients, of any breach.

   8.4. Criminal Liability

   8.4.1 Offence by the Firm It is an offence for firms not to have in place systems and procedures to prevent Money Laundering and terrorist financing. Failure to do so is an offence, whether or not Money Laundering or terrorist financing takes place as a result of the deficiencies.

   8.4.2 Employee Offence It is important, that in training staff, they are made aware that they as individuals can face criminal penalties if they are involved in Money Laundering, or if they fail to report their knowledge or suspicion of Money Laundering or terrorist financing where there are reasonable grounds for their knowing or suspecting such activity.

   However, there is a defence in the event that the employee has not received adequate training in which event the firm will become liable for prosecution or regulatory sanction as a result of its deficiencies.

9. RECORD KEEPING

   Firms are required to make, and retain, records of customer identification and transactions undertaken by them as evidence of their compliance with their legal and regulatory obligations. Such records may also be used by law enforcement agencies in the event of any subsequent investigation. Failure to observe the record keeping obligations risks an imprisonment of up to 2 years and/or a fine.

   Firms are also under a duty to ensure that any appointed representatives also comply with the regulations to make, and retain, such records. Records should be retained for a period of five years from the date of termination of the relationship with the customer. Records may be retained as originals, photocopies, on microfiche, as scanned documents or in a computerised or electronic format.

   The records should include the following:

   • Customer information, including identification and verification documentation. If copies of the verification documentation cannot be taken, a record should be kept detailing the document. If appropriate, a record of the reasons why a client has been treated as financially excluded should be kept;
   • All transactions carried out on behalf of, or with, the customer, including such supporting documentation as may be necessary to compile an audit trail if necessary and to establish a financial profile of a suspect;
   • Internal and external reports, including a record of actions taken under internal and external reporting requirements and where a report has not been made to SOCA following an internal report, a record of other material that was considered by the MLRO in making that decision. Copies of any Suspicious Activity Reports made to SOCA should also be retained;
   • Training given including details of dates, the nature of the training, the names of staff receiving the training and the results of any tests undertaken by staff in relation to the training given; and
   • Compliance monitoring, including reports by the MLRO to senior management and records of the consideration of those reports and action taken in respect of them.

   The essence of the guidance therefore requires firms to re-assess policies, procedures and controls in relation to the prevention of Money Laundering and the financing of terrorism in the new risk-based environment. The changes involved should not present the majority of firms with significant problems. Most FSA regulated firms are already used to addressing issues, and developing practices and procedures in a risk-based environment. Hopefully, however, these notes will assist firms in making any necessary changes to ensure compliance with the new guidelines, and will ensure that resources are more effectively targeted at the areas of business where the real threats lie.