2017 saw changes to the legislation concerning money laundering in the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLR 2017) for short. MLR 2017 broadened the definition of money laundering and increased the range of activities caught by the statutory framework. It is no longer merely an issue for banks and the financial sector but now applies to all companies and institutions including universities. These new obligations require universities to establish internal procedures to prevent the use of their services for money laundering.
2. Scope of the Policy
This policy applies to all University of Derby employees. The policy sets out the procedures that must be followed to enable the University to comply with its legal obligations. University employees who need to be the most vigilant are those dealing with the receipt or outlay of funds whether in the form of cash, cheques or bank transfer.
3. Definition of money laundering
Money laundering is the process of taking profits from crime and corruption and transforming them into legitimate assets. It takes criminally derived ‘dirty’ funds and converts them into other assets so they can be reintroduced into legal commerce. This process conceals the true origin or ownership of the funds and so ‘cleans’ them. The legislation defines the offences relating to money laundering as:
- Concealing, disguising, converting or removing criminal property from the UK;
- Entering into an arrangement which the person who knows or suspects or facilitates (by whatever means) the acquisition, retention, use or control of criminal property by or on behalf of another person;
- Acquiring, using or having possession of criminal property;
- Making a disclosure which is likely to prejudice a money laundering investigation.
Money laundering regulations apply to cash transactions in excess of 10,000 euros. However the Proceeds of Crime Act applies to all transactions – cheques, cash, bank transfers, property and equipment to individuals or agents or third parties.
The University of Derby will adopt a risk-based approach to anti-money laundering and in how they conduct due diligence.
- Risk assessment: the University appointed Money Laundering Reporting Officer (MLRO) will analyse the universities potential exposure to money laundering or terrorist financing. A written AML risk report should cover all university activities including customers, countries of operation, products and services, transactions, delivery channels and size and nature of business.
- Risk mitigation: policies will be in writing of how we mitigate risk, proportionate to the risks identified, approved annually by senior management. To include relevant controls, customer due diligence procedures, reporting, record keeping and monitoring.
- Level of Customer Due Diligence (CDD): to undertake CDD appropriate to the risk with specific attention on high risk jurisdictions which make enhanced due diligence compulsory
- Politically Exposed Persons (PEPs): to undertake due diligence of individuals who are trusted with prominent functions in the UK and Overseas
As part of the risk based approach, the University will periodically and at least annually update the risk assessment and review the policies and procedures to ensure they take account of the changing risks and vulnerabilities of the University. Assessment of risk will be made by the Money Laundering Reporting Officer (MLRO) in conjunction with appropriate line management. For the University of Derby the nominated MLRO is Susan Ambler, email firstname.lastname@example.org.
5. Example risks to which University of Derby may be exposed
While much of the universities financial activity could be considered relatively low risk from the perspective of money laundering, all staff need to be vigilant against the financial crime and fraud risks of the day to day transactions. Any suspicions reported promptly to the MLRO. To counter the risk of the University becoming accidentally involved in money laundering, the principal risks need to be identified, assessed and procedures put into place to mitigate the risks.
Examples: Normally it would be considered suspicious if a customer purchased a product by overpaying and then requesting the excess be transferred into a different account.
It could be considered suspicious for a debt to be settled by an independent third party: it is however normal for student debt in the form of tuition fees for internal students or living expense owed to be settled by a third party (parent)
BUFDG guidance suggests that particular care be focused on:
- Any payments in cash
- Unidentified cash receipts
- Applicants from high risk countries
- Requests for refunds – (particularly to a different account or individual to the payer)
- Failure to take up places
- Agents who do not fit in with normal procedures relating to deposits and tuition fees
- Identity fraud
6. Student and customer identification – “know your customer”
It is important that procedures and controls are in place to identify the student, customer or other third party dealing with the University.
In the case of students, examples include passport, visa, birth certificate and correspondence with students at their home address. For people who intend to support the student, proofs such as letters or documents proving name, address and relationship with the student are required.
If the sponsor for the student is a company, a letter on company headed paper explaining the relationship between the company and the student and that permission has been given to pay tuition fees or tuition fees plus University of Derby accommodation fees by that company is required.
For other non-student debt, if the organisation is not known to the ‘engagement lead’ for the University should look for letter headed documents, check websites or request credit checks to verify the validity of the potential customer. Cheques drawn from an unusual source should always be investigated.
7. Controls to mitigate risk
The University will pursue a policy of maximising online payments. All payments by students for tuition fees and accommodation should be made through online payment systems thereby removing acceptance of cash. Large sum cash receipts from students can only be accepted by the Finance Department: acceptance of large cash sums will only happen after consideration by a Finance manager taking into account the risk of the transaction and the risk to the student of carrying the cash.
Payments by third party:
Where identified, details to be checked over €10,000.
A student should not be permitted to pay the fees of another student who is not present at the time.
Refunds of payments made in respect of either student or non-student debt, by students or by third parties, will only be made by the same method and to the same account as the original payment was made.
There will be no cash refunds.
Students must make arrangements to cover their living expenses prior to arrival. This includes setting up their bank accounts.
If a donor or third party sends funds in excess of requested tuition fees, the excess can either be repaid to the donor using the same bank details or, with the permission in writing of the donor, be used to fund University of Derby accommodation due. The excess cannot be transferred to the student.
Fees paid in advance for foreign students who have subsequently been refused a visa are only refundable providing appropriate documentary evidence is available to demonstrate the circumstances. Refunds should only be made to the person and account making the original payment or in the case of a transfer by payment to the new university.
8. Procedure for individuals who have carried out “know your customer” checks and are still suspicious of a transaction
When you know or suspect that a money laundering activity is taking or has taken place you must disclose this immediately to your line manager. If, in consultation with your line manager suspicion is upheld, a disclosure report should be made to the MLRO.
The University ‘Suspected Money Laundering Reporting Form’ is shown in Appendix B The report should contain as much detail as possible including:
- Full available details of the people, companies involved and all staff members who have dealt with the suspected transaction;
- Reasons as to why you are suspicious;
- Dates of the transactions, amounts involved and method of transfer of money or assets;
- Any other information that may help the Financial Controller judge the case for knowledge or suspicion of money laundering.
Once you have reported your suspicions to the MLRO, neither you nor your concurring line manager should make any further enquiries nor discuss your suspicions further unless instructed by the MLRO. This will avoid making a disclosure which may prejudice a money laundering investigation.
9. Duties of the Money Laundering Reporting Officer
The MLRO will consider the notification and any other available internal information considered relevant, such as:
- Reviewing other transaction patterns and volumes;
- The length of any business relationship involved;
- The number of any one-off transactions and linked one-off transactions;
- Any identification evidence held and undertake such other reasonable enquiries he/she thinks appropriate in order to ensure that all available information is taken into account in deciding whether a report to the National Crime Agency (NCA) is required.
The MLRO may also need to discuss their report with the employee. The MLRO should keep a copy of all reported suspicious transactions together with additional backup and reasons for final conclusions, whether reported to the NCS or not for a minimum of 2 years (5 year for all instances reported to the NCA).
10. Advice to members of staff in identifying money laundering
It is not possible to give a definitive list of ways to spot money laundering or how to decide whether to make a report to the MLRO. The following are types of risk factors which may be considered:
- A secretive person or business e.g. that refuses to provide requested information without a reasonable explanation;
- Is the customer or student requesting a large cash transaction – especially where the cash is used notes or small denominations;
- Payment of any substantial sum in cash
- Concerns about the honesty, integrity, identity or location of the people involved;
- Involvement of an unconnected third party without a logical reason or explanation;
- Overpayments for no apparent reason;
- Absence of any legitimate source for the funds received;
- Significant changes in the size, nature, frequency of transactions with a customer that is without reasonable explanation;
- Cancellation, reversal or request for refunds of earlier transactions;
- Requests for account details outside the normal course of business;
- Requests for payments or refunds after funds have been paid into the University’s bank account by a third party;
- A history of poor business records, controls or inconsistent dealing. Any other facts which tend to suggest that something unusual is happening and give reasonable suspicion about the motives of individuals.
Instances of suspected money laundering are likely to be rare given the nature of services provided by the University. However we must be aware of the legislative requirements, as failure to comply would have serious implications for both the University and individuals concerned.
Prompt action is expected of all employees, referring to the guidance in this policy: any suspicions employees are asked to consult their line manager or MLRO about the concerns.
Money Laundering - Risk-based approach 2018
MLR 2017 requires the university to set out both policies and procedures for performing CDD, and the transaction monitoring arrangements on a risk-managed basis. The Regulations place emphasis on the need for the university to adopt systems and controls to mitigate any financial crime risks based on a risk-based approach, and require the university to demonstrate and document that the risk assessment was carried out and kept up-to-date.
The FCA’s Financial Crime Guide includes a similar requirement on organisations to conduct regular risk assessments of financial crime risks. The university’s policies and procedures will be periodically reviewed and tailored to ensure that they take account of the various risks and vulnerabilities associated with its activities, and those of its customer base. The review periodicity should, as a maximum, be annually - although there may be circumstances where that is reduced, such as where the policies and procedures are new or changed.
Assessments of money laundering risks in terms of the different operations, products and services provided and the respective customer bases, should be made by the MLRO (Money Laundering Reporting Officer or Nominated Officer) in liaison with appropriate line management. This should provide reasonable assurance that the university’s anti-money laundering policies and procedures will support the prevention and detection of money laundering and/or terrorist financing. In terms of the current regulatory requirements, the risk-based assessment methodology that the university has used - and will use to maintain and develop the money laundering and/or terrorist financing risk assessment - is outlined in the following section.
The assessment takes account of the products and services offered by the university with a view to designing appropriate controls, such as Know Your Customer (KYC) procedures and the collection of other information require for Corporate Due Diligence (CDD). Whilst much of the university’s financial activity could be considered relatively low-risk from the perspective of money laundering, all staff need to be vigilant against the financial crime and fraud risks that the university faces day-to-day. Any suspicions arising in the normal course of business must be reported promptly to the MLRO/NO for further investigation and/or external reporting as required, in accordance with the procedures detailed in this policy AML Risk Assessment MLR 2017 requires the university to undertake a risk assessment, and to demonstrate and document that it was carried-out and has been/will be kept up-to-date.
The university has undertaken a risk assessment of our current product and services portfolio, as outlined in this section of the policy document. The university’s AML controls and processes have to Sensitivity: Internal be in proportion to the financial crime risks and relate to the four primary sources of risks, detailed below. Taken together, these identify the overall or composite risk:
The four risks are:
- Product/Service Risks associated with our standard product and service offerings.
- Jurisdictional Risks associated with geography, location and jurisdiction including, but not limited to, the university’s countries of operation, the location of customers, suppliers and/or agents, and transactional sources/destinations.
- Customer/Third-Party Risks associated with the people and/or organisations that we undertake business (in all forms) with including customers/third-parties, beneficial owners, agents, contractors, vendors and suppliers. Politically Exposed Persons (PEP’s) and Sanctioned Parties are also considered within this risk.
- Distribution Risks associated with how we undertake business, including direct and indirect relationships (e.g. via an agent or third-party), face-to-face, digital/online and telephonic Various bodies provide advice for assessing the anti-money laundering risks associated with these risk headings, and what activities may increase those risks.
Typically, these would include:
- Product/Service and Distribution Cash transactions, anonymous transactions, non-face-toface transactions, transactions involving unknown third-parties and unregulated transactions (i.e. from unregulated third-parties)
- Customer/Third-Party Unusual business relationships, cash businesses, non-UK /non-local residents and Politically Exposed Persons (PEP’s) and Sanctioned Parties
- Country, geographic and jurisdictional Countries recognised to have inadequate AML/CTF controls and processes, countries subject to sanctions, embargoes and related measures and Composite Risk countries identified by recognised authorities as supporting terrorism and/or terrorist organisations.
The university’s Anti-Money Laundering risk assessment covers all areas and assesses each of the above risk factors and rates them on a RAG (Red, Amber, Green) scale equating to High, Medium and Low.
Risk Assessment by Category Product/Service Risk
At one level, the university’s involvement in advancing student loan funds does not present an opportunity for money laundering. However, there are money laundering risks associated with the repayment of such loans where the repayment funds come from unknown and/or unverified third-parties. The university’s involvement can result in a direct or indirect role in arrangements relating to the financing of student loans. Universities can become involved in a range of financial arrangements, often involving mainstream lenders such as banks and new and innovative student lending vehicles, particularly in relation to overseas students.
However, promoting a financial product without the necessary authorisation is an offence under the Financial Services & Markets Act 2000 (FSMA). Under FSMA it is a criminal offence for any person (including entities such as universities) to continue a regulated activity in the UK unless they are an authorised person. In respect of consumer credit activities, such authorisation is now granted by the FCA. Once fully authorised, universities remain subject to the rules and regulations found in the FCA Handbook and are subject to scrutiny and ongoing monitoring of their compliance with them.
Product/Service - Mitigation/Control
Most risks are mitigated as a result of the funds being paid direct to the university as the course provider. Third-party payments are only accepted under limited circumstances, such as where the third-parties have been authorised by the student and are closely related to the student. However, additional electronic due diligence checks will be performed where the third-party is unrelated. In addition, it should be recognised that there are fraud and AML risks associated with refunds and similar activities, and ongoing vigilance will be required. Given these factors, the Product/Service risk level for the university is ‘Green’.
Jurisdiction - Risk
The current jurisdiction for the university covers both UK and overseas activities, with some of those overseas activities being undertaken in potentially higher-risk locations. The University provides education services to various countries across the world through its education partnerships: considered high risk locations (in the current university portfolio) are Bangladesh, Malaysia and China.
Jurisdiction - Mitigation/Control
The JMLSG guidance however clarifies that a presumption of low risk applies to these jurisdictions unless the university’s experience with certain types of customers within these jurisdictions calls for a higher risk factor to be applied. The university’s experience to date has resulted in one concern, being related to Bangladesh through the British American College (BAC) where the customer was keen to pay for services provided but was unable due to outward currency restrictions. A number of cash sums were deposited to our credit by the customer (or its representatives) in a number of banks in the UK. We reported this and obtained clearance but is an example of the diligence required when dealing with overseas partners. Given these factors, the jurisdiction risk level for the university is ‘Green’.
Customer/Third-Party - Risk
Most of the university’s customers are residents in either UK or EEA countries. However, some students will come from and/or study in overseas areas which are potentially higher-risk locations. In addition, the university partners with overseas organisations during research and related activities.
Customer/Third-Party - Mitigation/Control
Customer Due Diligence (CDD) procedures have been implemented to mitigate the potential customer risk. Verification of individuals is undertaken using standard due diligence procedures, supported by further ‘high-risk’ (sanction) checks. The former is performed routinely and automatically, whereas the latter is a manual check. It is considered that an AML-type risk is unlikely to occur in the university’s activities, and any such risk would additionally be mitigated by the university’s third-party controls. Given these factors, the customer/third-party risk level for the university is ‘Green’.
Distribution - Risk
The university faces many risks associated with how we undertake business, particularly where it is at a distance, or digital/online and telephonic only. Whilst we have minimised the number of indirect relationships (e.g. via an agent, third-party or representative), those relationships still exist and present a risk.
Distribution - Mitigation/Control
The University is fully regulated by the FCA and even where an agent, third-party or representative is involved, the business relationship is only confirmed once the university has followed due process. If due process fails, then decisions will be taken as to whether the relationship should be further pursued, and what additional mitigations would be required in order to do so. The university has extensive international supplier/vendor relationships, and it is here that, arguably, the greatest risk arises. Given these factors, the distribution risk level for the university is considered to be ‘Amber’.
Key Roles - Money Laundering Reporting Officer (MLRO)
Universities are required to appoint a nominated officer to be aware of any suspicious activity in the business that might be linked to money laundering or terrorist financing, and if necessary to report it. However, Universities are not necessarily required to register a Money Laundering Reporting Officer (MLRO). The MLRO for the University of Derby is the Interim Deputy Director of Finance. The deputy is the Head of Financial Accounting. In common with other universities and Higher Education Institutions (HEI’s), the university has made the appropriate appointments, including deputies, and their details can be found in the Code of Conduct.
Know Your Customer (KYC) and Customer Due Diligence (CDD), including Financial Sanctions Targets
The relevant regulations require that the university must be reasonably satisfied as to the identity of the customer (and others) that they are engaging with in a business relationship. What follows is a synopsis of those regulations
The University must be reasonably satisfied as to the identity of the customer (and others). To discharge the ‘reasonably satisfied’ requirement the university must, for example, know the name, permanent address and/or date of birth, as part of the CDD processes before commencing a business relationship. The CDD measures involve identifying the customer, verifying the customer identity on a risk basis, identifying the beneficial owner (where appropriate), and confirming the purpose and intended nature of the business relationship. There is a further requirement for the university to conduct ongoing monitoring of the business relationship as part of continuing due diligence. All of these activities should be undertaken on a risk-based basis.
MLR 2017 has introduced a number of exemptions from the standard CDD requirements. These exemptions are primarily focused on organisations that are already subject themselves to the MLR’s, or an equivalent, standard if they are based overseas.
The specific identification requirements for different categories of customers (and others) are covered fully in the university standing documents. These requirements must always be adhered to and any instance where it has not been possible to comply with them should be immediately flagged to the relevant management.
Financial Sanctions Targets
The UK government publishes frequently-updated guidance on financial sanctions targets, which includes a list of all targets. This guidance can be found at gov.uk's consolidated list of targets.
Suspicious transaction reporting
The university will take all reasonable steps to identify and report suspicious transactions, of all types. This includes matches involving Politically Exposed Persons (PEP’s) and Sanctioned Parties. All internal reports will be considered by the MLRO (or equivalent), taking into account all other relevant information for the purpose of determining whether or not there is knowledge or suspicion of money laundering. Where this is considered to be the case, an external report will be made as specified in the university’s standing documents.
Training and Records
In line with the Regulations, All relevant members of staff will receive training in this policy and the wider aspects of AML. This will include new members, where the training will first be completed as part of their induction. Record keeping is crucial to an effective training regime and a signed record (or computer-based equivalent) from every member of staff should be kept verifying that they have read, understood and been trained on AML and the policy. The frequency of training for relevant staff should be determined on a risk-based approach but the periodicity should not exceed two years, with annual training being used where it is warranted by the potential risk. In addition, refresher training should take place at each revision of the policy.
The Regulations require the university to take reasonable care to make and keep adequate records (including customer identification and accounting records) which are appropriate to the scale, nature and complexity of the university’s business. These records typically include identity documents, transaction records, records of reports (internal and external), and training records. The relevant retention periods are specified in the university standing documents.
Summary of KYC and CDD principles
CDD is actually part of KYC because KYC is the due diligence that universities must perform in order to identify their business relationships and customers and, hence, ascertain relevant information pertinent to doing financial business with them Undertaking KYC and CDD not only ensures that a university complies with the law, it also makes good business sense by helping to ensure that a university does not enter into student and other relationships that might be considered too risky There are essentially three components that make up the CDD measures required by the Money Laundering Regulations.
The three components are:
- Ascertaining and verifying the identity of the customer/student i.e. knowing who they are and confirming that their identity is valid by obtaining documents or other information from sources which are independent and reliable. For the most part, to satisfy the requirements identity checks for money laundering purposes are interpreted as obtaining a copy of photoidentification (such as a passport) and proof of address (such as a recent utility bill).
- Ascertaining and verifying (if appropriate) the identity of the beneficial owners of a business, if there are any, so that you know the identity of the ultimate owners or controllers of the business.
- Information on the purpose and intended nature of the business relationship i.e. knowing what you are going to do with/for them and why.
There are three levels of CDD - ‘Standard’, ‘Simplified’, and ‘Enhanced’. ‘Standard due diligence’, as outlined above, should be applied to all financial relationships unless ‘simplified’ due diligence is or ‘enhanced’ due diligence is appropriate. Universities should ensure the CDD records relied on are retained for five years from the date on which reliance commences. Failure to do so is a criminal offence.
CONFIDENTIAL - Suspected Money Laundering Reporting Form
This form has now been made available in an accessible and digital format. Please ensure you carefully follow the instructions and please do not discuss the content of this report with anyone you believe to be involved in the suspected money laundering activity described.
Last reviewed: 30/10/2020
Policy Owner: Finance