‘The Code requires relevant persons to have certain procedures in place. Paragraph 4 of the Code requires a relevant person to:
These procedures and controls must be approved by the senior management of the relevant person and evidence of this approval should be made available to competent authorities upon request. Examples of such evidence include board minutes or similar documentary evidence.
It is a criminal offence for a relevant person to fail to establish, maintain and operate the procedures listed above. Where such an offence is committed with the consent or connivance of, or is attributable to neglect on the part of an officer of the business, he too shall be deemed to have committed a criminal offence. The definition of “officer” includes a director, manager, board member or secretary and a person purporting to act as such.’
Due to the nature of the rapidly evolving sector, the Authority expects that VC businesses should review and update their business risk assessment each time there is a new technological developments risk assessment or at least 6-monthly.
The general requirements of a business risk assessment are covered in above paragraph. The below additional factors are of high importance to VC businesses and should be included in detail in the business risk assessment.
Inherent product risks - The business risk assessment should include the full list of inherent risk factors listed in section 4 of this document with a note confirming which of the listed factors are applicable to the relevant person’s business and why. For those that are applicable, there should also be a note detailing the steps taken and processes in place to mitigate the identified risk.
Application the AML/CFT requirements - The business risk assessment should include the sub-headers listed under the application of AML/CFT requirements at section 5 of this document with a note confirming any difficulties the relevant person is likely to face in complying with the listed requirements and detailing the measures that have been put in place to combat each of these difficulties .
The relevant person will be expected to demonstrate to the Authority how it has been able to overcome such challenges in order to comply with the AML/CFT requirements. Instances in which the relevant person has not been able to comply with the AML/CFT requirements should be escalated to the Authority in a timely manner and must be formally documented in their annual compliance return.
For further detail, please see: