1. Introduction

2017 saw changes to the legislation concerning money laundering in the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLR 2017) for short. MLR 2017 broadened the definition of money laundering and increased the range of activities caught by the statutory framework. It is no longer merely an issue for banks and the financial sector but now applies to all companies and institutions including universities. These new obligations require universities to establish internal procedures to prevent the use of their services for money laundering.

2. Scope of the Policy

This policy applies to all University of Derby employees. The policy sets out the procedures that must be followed to enable the University to comply with its legal obligations. University employees who need to be the most vigilant are those dealing with the receipt or outlay of funds whether in the form of cash, cheques or bank transfer.

3. Definition of money laundering

Money laundering is the process of taking profits from crime and corruption and transforming them into legitimate assets. It takes criminally derived ‘dirty’ funds and converts them into other assets so they can be reintroduced into legal commerce. This process conceals the true origin or ownership of the funds and so ‘cleans’ them. The legislation defines the offences relating to money laundering as:

Money laundering regulations apply to cash transactions in excess of 10,000 euros. However the Proceeds of Crime Act applies to all transactions – cheques, cash, bank transfers, property and equipment to individuals or agents or third parties. 

The University of Derby will adopt a risk-based approach to anti-money laundering and in how they conduct due diligence.

As part of the risk based approach, the University will periodically and at least annually update the risk assessment and review the policies and procedures to ensure they take account of the changing risks and vulnerabilities of the University. Assessment of risk will be made by the Money Laundering Reporting Officer (MLRO) in conjunction with appropriate line management. For the University of Derby the nominated MLRO is Susan Ambler, email

4. Example risks to which University of Derby may be exposed

While much of the universities financial activity could be considered relatively low risk from the perspective of money laundering, all staff need to be vigilant against the financial crime and fraud risks of the day to day transactions. Any suspicions reported promptly to the MLRO. To counter the risk of the University becoming accidentally involved in money laundering, the principal risks need to be identified, assessed and procedures put into place to mitigate the risks.

Examples: Normally it would be considered suspicious if a customer purchased a product by overpaying and then requesting the excess be transferred into a different account. 

It could be considered suspicious for a debt to be settled by an independent third party: it is however normal for student debt in the form of tuition fees for internal students or living expense owed to be settled by a third party (parent)

BUFDG guidance suggests that particular care be focused on:

5. Student and customer identification – “know your customer”

It is important that procedures and controls are in place to identify the student, customer or other third party dealing with the University.

In the case of students, examples include passport, visa, birth certificate and correspondence with students at their home address. For people who intend to support the student, proofs such as letters or documents proving name, address and relationship with the student are required.

If the sponsor for the student is a company, a letter on company headed paper explaining the relationship between the company and the student and that permission has been given to pay tuition fees or tuition fees plus University of Derby accommodation fees by that company is required.

For other non-student debt, if the organisation is not known to the ‘engagement lead’ for the University should look for letter headed documents, check websites or request credit checks to verify the validity of the potential customer. Cheques drawn from an unusual source should always be investigated.

6. Controls to mitigate risk

The University will pursue a policy of maximising online payments. All payments by students for tuition fees and accommodation should be made through online payment systems thereby removing acceptance of cash. Large sum cash receipts from students can only be accepted by the Finance Department: acceptance of large cash sums will only happen after consideration by a Finance manager taking into account the risk of the transaction and the risk to the student of carrying the cash.

Payments by third party:

Where identified, details to be checked over €10,000.

A student should not be permitted to pay the fees of another student who is not present at the time.

Refunds of payments made in respect of either student or non-student debt, by students or by third parties, will only be made by the same method and to the same account as the original payment was made.

There will be no cash refunds.

Students must make arrangements to cover their living expenses prior to arrival. This includes setting up their bank accounts.

If a donor or third party sends funds in excess of requested tuition fees, the excess can either be repaid to the donor using the same bank details or, with the permission in writing of the donor, be used to fund University of Derby accommodation due. The excess cannot be transferred to the student.

Fees paid in advance for foreign students who have subsequently been refused a visa are only refundable providing appropriate documentary evidence is available to demonstrate the circumstances. Refunds should only be made to the person and account making the original payment or in the case of a transfer by payment to the new university.

7. Procedure for individuals who have carried out “know your customer” checks and are still suspicious of a transaction

When you know or suspect that a money laundering activity is taking or has taken place you must disclose this immediately to your line manager. If, in consultation with your line manager suspicion is upheld, a disclosure report should be made to the MLRO.

The University ‘Suspected Money Laundering Reporting Form’ is shown in Appendix B The report should contain as much detail as possible including:

Once you have reported your suspicions to the MLRO, neither you nor your concurring line manager should make any further enquiries nor discuss your suspicions further unless instructed by the MLRO. This will avoid making a disclosure which may prejudice a money laundering investigation.

8. Duties of the Money Laundering Reporting Officer

The MLRO will consider the notification and any other available internal information considered relevant, such as:

The MLRO may also need to discuss their report with the employee. The MLRO should keep a copy of all reported suspicious transactions together with additional backup and reasons for final conclusions, whether reported to the NCS or not for a minimum of 2 years (5 year for all instances reported to the NCA).

9. Advice to members of staff in identifying money laundering

It is not possible to give a definitive list of ways to spot money laundering or how to decide whether to make a report to the MLRO. The following are types of risk factors which may be considered:

10. Conclusion

Instances of suspected money laundering are likely to be rare given the nature of services provided by the University. However we must be aware of the legislative requirements, as failure to comply would have serious implications for both the University and individuals concerned.

Prompt action is expected of all employees, referring to the guidance in this policy: any suspicions employees are asked to consult their line manager or MLRO about the concerns. 


Money Laundering - Risk-based approach 2018

MLR 2017 requires the university to set out both policies and procedures for performing CDD, and the transaction monitoring arrangements on a risk-managed basis. The Regulations place emphasis on the need for the university to adopt systems and controls to mitigate any financial crime risks based on a risk-based approach, and require the university to demonstrate and document that the risk assessment was carried out and kept up-to-date.

The FCA’s Financial Crime Guide includes a similar requirement on organisations to conduct regular risk assessments of financial crime risks. The university’s policies and procedures will be periodically reviewed and tailored to ensure that they take account of the various risks and vulnerabilities associated with its activities, and those of its customer base. The review periodicity should, as a maximum, be annually - although there may be circumstances where that is reduced, such as where the policies and procedures are new or changed.

Assessments of money laundering risks in terms of the different operations, products and services provided and the respective customer bases, should be made by the MLRO (Money Laundering Reporting Officer or Nominated Officer) in liaison with appropriate line management. This should provide reasonable assurance that the university’s anti-money laundering policies and procedures will support the prevention and detection of money laundering and/or terrorist financing. In terms of the current regulatory requirements, the risk-based assessment methodology that the university has used - and will use to maintain and develop the money laundering and/or terrorist financing risk assessment - is outlined in the following section.

The assessment takes account of the products and services offered by the university with a view to designing appropriate controls, such as Know Your Customer (KYC) procedures and the collection of other information require for Corporate Due Diligence (CDD). Whilst much of the university’s financial activity could be considered relatively low-risk from the perspective of money laundering, all staff need to be vigilant against the financial crime and fraud risks that the university faces day-to-day. Any suspicions arising in the normal course of business must be reported promptly to the MLRO/NO for further investigation and/or external reporting as required, in accordance with the procedures detailed in this policy AML Risk Assessment MLR 2017 requires the university to undertake a risk assessment, and to demonstrate and document that it was carried-out and has been/will be kept up-to-date.

The university has undertaken a risk assessment of our current product and services portfolio, as outlined in this section of the policy document. The university’s AML controls and processes have to Sensitivity: Internal be in proportion to the financial crime risks and relate to the four primary sources of risks, detailed below. Taken together, these identify the overall or composite risk:

The four risks are:

Typically, these would include:

The university’s Anti-Money Laundering risk assessment covers all areas and assesses each of the above risk factors and rates them on a RAG (Red, Amber, Green) scale equating to High, Medium and Low.

Risk Assessment by Category Product/Service Risk

At one level, the university’s involvement in advancing student loan funds does not present an opportunity for money laundering. However, there are money laundering risks associated with the repayment of such loans where the repayment funds come from unknown and/or unverified third-parties. The university’s involvement can result in a direct or indirect role in arrangements relating to the financing of student loans. Universities can become involved in a range of financial arrangements, often involving mainstream lenders such as banks and new and innovative student lending vehicles, particularly in relation to overseas students.

However, promoting a financial product without the necessary authorisation is an offence under the Financial Services & Markets Act 2000 (FSMA). Under FSMA it is a criminal offence for any person (including entities such as universities) to continue a regulated activity in the UK unless they are an authorised person. In respect of consumer credit activities, such authorisation is now granted by the FCA. Once fully authorised, universities remain subject to the rules and regulations found in the FCA Handbook and are subject to scrutiny and ongoing monitoring of their compliance with them.

Product/Service - Mitigation/Control

Most risks are mitigated as a result of the funds being paid direct to the university as the course provider. Third-party payments are only accepted under limited circumstances, such as where the third-parties have been authorised by the student and are closely related to the student. However, additional electronic due diligence checks will be performed where the third-party is unrelated. In addition, it should be recognised that there are fraud and AML risks associated with refunds and similar activities, and ongoing vigilance will be required. Given these factors, the Product/Service risk level for the university is ‘Green’.

Jurisdiction - Risk

The current jurisdiction for the university covers both UK and overseas activities, with some of those overseas activities being undertaken in potentially higher-risk locations. The University provides education services to various countries across the world through its education partnerships: considered high risk locations (in the current university portfolio) are Bangladesh, Malaysia and China.

Jurisdiction - Mitigation/Control

The JMLSG guidance however clarifies that a presumption of low risk applies to these jurisdictions unless the university’s experience with certain types of customers within these jurisdictions calls for a higher risk factor to be applied. The university’s experience to date has resulted in one concern, being related to Bangladesh through the British American College (BAC) where the customer was keen to pay for services provided but was unable due to outward currency restrictions. A number of cash sums were deposited to our credit by the customer (or its representatives) in a number of banks in the UK. We reported this and obtained clearance but is an example of the diligence required when dealing with overseas partners. Given these factors, the jurisdiction risk level for the university is ‘Green’.

Customer/Third-Party - Risk

Most of the university’s customers are residents in either UK or EEA countries. However, some students will come from and/or study in overseas areas which are potentially higher-risk locations. In addition, the university partners with overseas organisations during research and related activities.

Customer/Third-Party - Mitigation/Control

Customer Due Diligence (CDD) procedures have been implemented to mitigate the potential customer risk. Verification of individuals is undertaken using standard due diligence procedures, supported by further ‘high-risk’ (sanction) checks. The former is performed routinely and automatically, whereas the latter is a manual check. It is considered that an AML-type risk is unlikely to occur in the university’s activities, and any such risk would additionally be mitigated by the university’s third-party controls. Given these factors, the customer/third-party risk level for the university is ‘Green’.

Distribution - Risk

The university faces many risks associated with how we undertake business, particularly where it is at a distance, or digital/online and telephonic only. Whilst we have minimised the number of indirect relationships (e.g. via an agent, third-party or representative), those relationships still exist and present a risk.

Distribution - Mitigation/Control

The University is fully regulated by the FCA and even where an agent, third-party or representative is involved, the business relationship is only confirmed once the university has followed due process. If due process fails, then decisions will be taken as to whether the relationship should be further pursued, and what additional mitigations would be required in order to do so. The university has extensive international supplier/vendor relationships, and it is here that, arguably, the greatest risk arises. Given these factors, the distribution risk level for the university is considered to be ‘Amber’.

Key Roles - Money Laundering Reporting Officer (MLRO)

Universities are required to appoint a nominated officer to be aware of any suspicious activity in the business that might be linked to money laundering or terrorist financing, and if necessary to report it. However, Universities are not necessarily required to register a Money Laundering Reporting Officer (MLRO). The MLRO for the University of Derby is the Interim Deputy Director of Finance. The deputy is the Head of Financial Accounting. In common with other universities and Higher Education Institutions (HEI’s), the university has made the appropriate appointments, including deputies, and their details can be found in the Code of Conduct.

Know Your Customer (KYC) and Customer Due Diligence (CDD), including Financial Sanctions Targets

The relevant regulations require that the university must be reasonably satisfied as to the identity of the customer (and others) that they are engaging with in a business relationship. What follows is a synopsis of those regulations


The University must be reasonably satisfied as to the identity of the customer (and others). To discharge the ‘reasonably satisfied’ requirement the university must, for example, know the name, permanent address and/or date of birth, as part of the CDD processes before commencing a business relationship. The CDD measures involve identifying the customer, verifying the customer identity on a risk basis, identifying the beneficial owner (where appropriate), and confirming the purpose and intended nature of the business relationship. There is a further requirement for the university to conduct ongoing monitoring of the business relationship as part of continuing due diligence. All of these activities should be undertaken on a risk-based basis.


MLR 2017 has introduced a number of exemptions from the standard CDD requirements. These exemptions are primarily focused on organisations that are already subject themselves to the MLR’s, or an equivalent, standard if they are based overseas.


The specific identification requirements for different categories of customers (and others) are covered fully in the university standing documents. These requirements must always be adhered to and any instance where it has not been possible to comply with them should be immediately flagged to the relevant management. 

Financial Sanctions Targets

The UK government publishes frequently-updated guidance on financial sanctions targets, which includes a list of all targets. This guidance can be found at's consolidated list of targets.

Suspicious transaction reporting

The university will take all reasonable steps to identify and report suspicious transactions, of all types. This includes matches involving Politically Exposed Persons (PEP’s) and Sanctioned Parties. All internal reports will be considered by the MLRO (or equivalent), taking into account all other relevant information for the purpose of determining whether or not there is knowledge or suspicion of money laundering. Where this is considered to be the case, an external report will be made as specified in the university’s standing documents. 

Training and Records

In line with the Regulations, All relevant members of staff will receive training in this policy and the wider aspects of AML. This will include new members, where the training will first be completed as part of their induction. Record keeping is crucial to an effective training regime and a signed record (or computer-based equivalent) from every member of staff should be kept verifying that they have read, understood and been trained on AML and the policy. The frequency of training for relevant staff should be determined on a risk-based approach but the periodicity should not exceed two years, with annual training being used where it is warranted by the potential risk. In addition, refresher training should take place at each revision of the policy.


The Regulations require the university to take reasonable care to make and keep adequate records (including customer identification and accounting records) which are appropriate to the scale, nature and complexity of the university’s business. These records typically include identity documents, transaction records, records of reports (internal and external), and training records. The relevant retention periods are specified in the university standing documents.

Summary of KYC and CDD principles

CDD is actually part of KYC because KYC is the due diligence that universities must perform in order to identify their business relationships and customers and, hence, ascertain relevant information pertinent to doing financial business with them Undertaking KYC and CDD not only ensures that a university complies with the law, it also makes good business sense by helping to ensure that a university does not enter into student and other relationships that might be considered too risky There are essentially three components that make up the CDD measures required by the Money Laundering Regulations.

The three components are:

  1. Ascertaining and verifying the identity of the customer/student i.e. knowing who they are and confirming that their identity is valid by obtaining documents or other information from sources which are independent and reliable. For the most part, to satisfy the requirements identity checks for money laundering purposes are interpreted as obtaining a copy of photoidentification (such as a passport) and proof of address (such as a recent utility bill).
  2. Ascertaining and verifying (if appropriate) the identity of the beneficial owners of a business, if there are any, so that you know the identity of the ultimate owners or controllers of the business.
  3. Information on the purpose and intended nature of the business relationship i.e. knowing what you are going to do with/for them and why.

There are three levels of CDD - ‘Standard’, ‘Simplified’, and ‘Enhanced’. ‘Standard due diligence’, as outlined above, should be applied to all financial relationships unless ‘simplified’ due diligence is or ‘enhanced’ due diligence is appropriate. Universities should ensure the CDD records relied on are retained for five years from the date on which reliance commences. Failure to do so is a criminal offence.


CONFIDENTIAL - Suspected Money Laundering Reporting Form

This form has now been made available in an accessible and digital format. Please ensure you carefully follow the instructions and please do not discuss the content of this report with anyone you believe to be involved in the suspected money laundering activity described.



Last reviewed: 30/10/2020

Policy Owner: Finance