Policies, controls and procedures
The risk assessment shall be used to develop policies, controls and procedures to mitigate and manage the identified risks and maintain adequate control.
The policy should lay the foundations for the company's defences and be a policy statement about the culture and values that shall be upheld by the obliged entity in order to prevent their activities being misused for money laundering and terrorist financing. In addition, the policy should discuss how responsibilities are divided between individual employees and units.
Policies, controls and procedures shall, as a minimum, include provisions for the development and updating of policies, controls and procedures, including methods for mitigating risk, due diligence, the reporting of suspicious transactions, internal controls, the appointment of a AML/CFT compliance officer, and an examination of the qualifications of employees and, as appropriate, the requirement for an independent audit department or independent auditor to carry out audits and test internal policies, controls and procedures, as described above.
Obliged entities must, as a minimum, have internal rules/procedures in place for the following:
due diligence,
ongoing monitoring,
suspicious and unusual transactions,
monitoring whether individuals are in a risk group due to being politically exposed persons,
monitoring whether customers are on sanctions lists,
notifications to the Financial Intelligence Unit (FIU),
examinations of the qualifications of employees and rules on what checks should be run on their job applicants,
access of employees and restrictions on access to data and information which is stored on the basis of the Act on Measures against Money Laundering and Terrorist Financing.
The designated supervisor of measures against money laundering and terrorist financing shall ensure that policies, rules and procedures are implemented to promote coordinated working methods and a good implementation of the law in the activities of obliged entities. The senior management shall approve and monitor policies, controls and procedures.