Guidance on desk-based reviews
23 January 2024
As part of our risk-based supervisory work, we carry out desk-based reviews (DBRs) to ensure firms in scope of the MLRs are complying with their legal obligations under the legislation.
This is an ongoing rolling program whereby several firms are selected each month for a DBR. Firms will be notified in advance by way of a letter emailed to them, enclosing an AML questionnaire.
Requesting information
Once your firm has been notified of a DBR, you have 10 calendar days to provide the following:
- a completed AML questionnaire
- a copy of your firm-wide risk assessment (FWRA) under regulation 18 MLRs
- your firm's proliferation financing risk assessment (which may be part of the FWRA) under regulation 18A MLRs
- your firm's AML policies, controls, and procedures under regulation 19 MLRs
- your firm's template client/matter risk assessment
- a list of fee earners whose work is in scope of the MLRs
- your fee earners' open and closed matter lists.
How it works
Once all necessary documents are received, we will request a sample of the firm's open and closed files together with the client ledgers.
We will review the documents and assess the firm's level of compliance with the MLR 2017.
What happens at the end of a DBR?
Once we have reviewed all the documents, we might contact the firm if we have any queries. After this firms will receive an outcome letter detailing the findings of our review and any next steps.
We have a range of tools we use to supervise firms and improve compliance. Below are the types of steps we might take at the end of a DBR:
- Guidance: This is where a firm doing well and is compliant with the standards required in the regulations. This includes cases where the firm needs to make minor changes, or we share best practice.
- Letters of engagement: This is for partially compliant firms, where there are some elements of a firm's controls that need improving, but there is some good practice, and the firm is generally doing well at preventing money laundering. We will engage with firms to help them refine their processes and bring them into full compliance.
- Compliance plan: This is for partially complaint firms where we have more widespread concerns. We implement a compliance plan where there are several elements of a firm’s controls that need improving or where the level of non-compliance is of concern. A compliance plan sets out a series of actions that firms need to take, and by when, to bring them back into compliance with the regulations.
- Referral for investigation: Where we find significant or wide-spread non-compliance we will refer firms for investigation and possible enforcement action. Examples include failure to carry out customer due diligence (CDD), failure to carry out client/matter risk assessments, no firm-wide risk assessment in place, out of date policies or a failure to train staff on the regulations. This might result in a regulatory sanction. Where necessary, we will also set up a compliance plan to assist the firm in meeting its obligations.