The original blog post dated 17th August 2021 was updated on 24th August 2022 to incorporate clarity provided in the updated BAMF Guidance (2022).

In ArtAML’s view, the intention of AML legislation is two-fold:
1 – Preventing your business from being the target of money laundering / terrorist-financing activities; and
2 – If your business is targeted, being able to identify it (and thereby report it to authorities).

In order to know how to mitigate the risks of being targeted, you need to establish the risks in the first place.

As a business regulated for AML, it’s not only a smart idea to conduct a risk assessment and create a corresponding policy that outlines how to mitigate identified liabilities, it’s a legal obligation.

Don’t take our word for it; Alan Patrick, HMRC’s strategy lead for Art Market Participants, wrote the following in the ATG (24th May 2021):

Five top tips from HMRC to avoid the most common errors HMRC finds when it carries out compliance visits

1. Risk Assessment
A firm’s risk assessment is the very foundation on which compliance with the MLRs is built. The risk assessment is bespoke to your business. It will change and develop, reflecting changes to your business model and how those changes impact on the money laundering and terrorist financing risks. There is no such thing as an off-the-shelf risk assessment, you have to assess the risks for your business.

2. Policies, controls and procedures
Once the risk assessment has been compiled, and the business is satisfied the risk assessment is comprehensive and robust, there must be appropriate policies, controls and procedures (PCPs) in place. Those PCPs need to “mitigate and manage effectively the risks … identified” and they need to be “regularly review[ed] and update[d]” (Regulation 19). Naturally, if the PCPs are drawn up to manage the risks identified in the risk assessment, the PCPs may well need to be adapted to reflect any ongoing changes to your picture of risk. The regulations are very specific on how your PCPs should address risk and keep addressing it on an ongoing basis.

To be clear, an AML Policy is not an additional clause in your Terms of Business. That said, it’s a good idea to include a mention of AML. Let customers and prospects know that as a regulated business under the MLRs 2017 or other applicable law, you’re required to collect certain information and that the completion of sales is contingent on the provision of information that is needed to comply.

An AML Policy is a standalone document that contains your policies, controls and procedures (“PCPs”). Each team member that is a responsible person and/or has AML responsibilities should be able to readily access this internal document, in case they need to refer to it to see what to do in certain circumstances. It needn’t be published on your site, particularly as it will contain information that is confidential to the business.

The updated BAMF Guidance (2022) is specific on requirements for a Risk Assessment:

1.2 To assess the most cost effective and proportionate way to manage and mitigate the money laundering and terrorist financing risks faced by the AMP, the following steps must be taken
> identify the money laundering and terrorist financing risks that are relevant to the AMP;
> assess the risks presented by the AMP’s particular
● customers (and any underlying beneficial owners);
● services provided;
● transactions;
● delivery channels (for example, private sales, internet platforms);
● geographical areas of operation;
> design and implement controls to manage and mitigate these assessed risks, in the context of the nature and size of the AMP’s business;
> monitor, review and update the effective operation of these controls; and
> record appropriately what has been done, and why, and the steps taken to communicate the controls within the business.

Furthermore, the updated BAMF Guidance (2022) is specific on requirements for corresponding Policies, Controls & Procedures (PCPs):
3. Policies, controls and procedures must require:
● carrying out a risk assessment identifying where the business is vulnerable to money laundering and terrorist financing
● preparing, maintaining and approving a written policy statement, controls and procedures to show how the business will manage the risks of money laundering and terrorist financing identified in risk assessments
● reviewing and updating the policies, controls and procedures to reflect changes to the risk faced by the business
● making sure there are enough trained people equipped to implement policies adequately, including systems in place to support them
● making sure that the policies, controls and procedures are communicated within the business, and communicated to and applied to subsidiaries or branches in or outside the UK
● monitoring effectiveness of the business’s policy, controls and procedures and make improvements where required
● having systems to identify when transactions are with or through high risk third countries identified by, or financial sanctions targets advised by, HM Treasury, and taking additional measures to manage and lessen the risk

How to get started with a risk assessment – and how can ArtAML™ help?

There are key areas that art market participants need to cover. Our risk assessment questionnaire, available to ArtAML™ platform subscribers, walks you through the process. When you’ve completed the questionnaire that is specific to your business, ArtAML™ creates your custom Risk Assessment and AML Policy. The subscription lasts for a year, so anytime there are business changes (for example, a new team member) or risks (for instance, selling to a country that borders a high-risk jurisdiction), we’ll update the risk assessment and policy at no charge.

How often do the risk assessment and policy need to be updated?
The BAMF Guidance (updated 2022) requires that you refresh these documents at minimum once per annum. Some good news is that after we’ve created your initial risk assessment & policy, you can take advantage of our ‘Health Check’ service to update these documents that are fundamental to your compliance program – not to mention check that you have necessary AML Training and more in place.

Get started:
The risk assessment + policy service is available for £495 (565 EUR or $645 USD).
>> This is available as an add-on to platform subscriptions.
Sign up now or get in touch.