Risk Assessment and AML Policy: A legal requirement for Art Market Participants

August 17, 2021
by ArtAML Team

The intention of AML legislation is two-fold:
1 – Preventing your business from being the target of money laundering / terrorist-financing activities; and
2 – If your business is targeted, being able to identify it (and thereby report it to authorities).

In order to know how to mitigate the risks of being targeted, you need to establish the risks in the first place.

Consider how insurance policies work:
At the outset, risks are identified, and the corresponding policy covers areas where you’re exposed. Terms of the policy to ensure that you’re covered in the case of a claim, including having outlined measures in place. A common requirement for galleries to be covered is to not place art directly place on the floor but at least X cm / in above the ground, thereby mitigating the risk of water or liquid damage from a spill or small flood. Each year, a review is undertaken to determine how risks have changed and what needs to be removed or added from a policy, in addition to adjustments to terms and price.

As a business regulated for AML, it’s not only a smart idea to conduct a risk assessment and create a corresponding policy that outlines how to mitigate identified liabilities, it’s a legal obligation.

Don’t take our word for it; Alan Patrick, HMRC’s strategy lead for Art Market Participants, wrote the following in the ATG (24th May 2021):

Five top tips from HMRC to avoid the most common errors HMRC finds when it carries out compliance visits

1. Risk Assessment
A firm’s risk assessment is the very foundation on which compliance with the MLRs is built. The risk assessment is bespoke to your business. It will change and develop, reflecting changes to your business model and how those changes impact on the money laundering and terrorist financing risks. There is no such thing as an off-the-shelf risk assessment, you have to assess the risks for your business.

2. Policies, controls and procedures
Once the risk assessment has been compiled, and the business is satisfied the risk assessment is comprehensive and robust, there must be appropriate policies, controls and procedures (PCPs) in place. Those PCPs need to “mitigate and manage effectively the risks … identified” and they need to be “regularly review[ed] and update[d]” (Regulation 19). Naturally, if the PCPs are drawn up to manage the risks identified in the risk assessment, the PCPs may well need to be adapted to reflect any ongoing changes to your picture of risk. The regulations are very specific on how your PCPs should address risk and keep addressing it on an ongoing basis.

To be clear, an AML Policy is not an additional clause in your Terms of Business. That said, it’s a good idea to include a mention of AML. Let customers and prospects know that as a regulated business under the MLRs 2017 or other applicable law, you’re required to collect certain information and that the completion of sales is contingent on the provision of information that is needed to comply.

An AML Policy is a standalone document that contains your policies, controls and procedures (“PCPs”). Each team member that is a responsible person and/or has AML responsibilities should be able to readily access this internal document, in case they need to refer to it to see what to do in certain circumstances. It needn’t be published on your site, particularly as it will contain information that is confidential to the business.

How to get started with a risk assessment – and how can ArtAML help?
There are key areas that art market participants need to cover. Our risk assessment, available to ArtAML platform subscribers, walks you through the process. When you’ve completed the questionnaire that is specific to your business, it’s available to download in your ArtAML dashboard.

How to create an AML Policy with ArtAML’s assistance?
Once you complete the risk assessment, we create your policy according to identified risks. The mitigations that are outlined are based on the ArtAML platform which has been designed with a risk-based approach and enables documentation and notes, so that you can provide findings and explain why you’ve made decisions – it’s for this reason that the risk assessment and policy are available to our platform subscribers. A follow-up meeting helps to ensure that you understand the policy, and can thereby communicate it to other team members.

How often do the risk assessment and policy need to be updated?
The regulations require that you keep these up to date. A general rule of thumb adopted by multiple sectors is to review and update once per year, in addition to anytime that risks change.

Get started:
The risk assessment + policy is available for £495. 

How can we help?

Get in touch with our team for support and advice