17.—(1) Each supervisory authority must identify and assess the international and domestic risks of money laundering and terrorist financing to which those relevant persons for which it is the supervisory authority (“its own sector”) are subject.
(2) In carrying out the risk assessment required under paragraph (1), the supervisory authority must take into account—
F1(a). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F2(b). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(c)the report prepared by the Treasury and the Home Office under regulation 16(6); and
(d)information made available by the Treasury and the Home Office under regulation 16(8).
(3) A supervisory authority must keep an up-to-date record in writing of all the steps it has taken under paragraph (1).
(4) Each supervisory authority must develop and record in writing risk profiles for each relevant person in its own sector.
(5) A supervisory authority may prepare a single risk profile under paragraph (4) in relation to two or more relevant persons in its sector, if—
(a)the relevant persons share similar characteristics; and
(b)the risks of money laundering and terrorist financing affecting those relevant persons do not differ significantly.
(6) Where a supervisory authority has prepared a single risk profile for two or more relevant persons in its sector (a “cluster”), the supervisory authority must keep under review whether an individual risk profile should be prepared in relation to any relevant person in the cluster because sub-paragraph (a) or (b) (or both sub-paragraphs) of paragraph (5) are no longer satisfied in relation to that person.
(7) In developing the risk profiles referred to in paragraph (4), the supervisory authority must take full account of the risks that relevant persons in its own sector will not take appropriate action to identify, understand and mitigate money laundering and terrorist financing risks.
(8) Each supervisory authority must review the risk profiles developed under paragraph (4) at regular intervals and following any significant event or developments which might affect the risks to which its own sector is subject, such as—
(a)significant external events that change the nature of the money laundering or terrorist financing risks;
(b)emerging money laundering or terrorist financing risks;
(c)any findings resulting from measures taken by other supervisory authorities;
(d)any changes in the way in which its own sector is operated;
(e)significant changes in regulation.
(9) If information from the risk assessment carried out under paragraph (1), or from information provided to the supervisory authority under regulation 16(8), would assist relevant persons in carrying out their own money laundering and terrorist financing risk assessment, the supervisory authority must, where appropriate, make that information available to those persons, unless to do so would not be compatible with restrictions on sharing information imposed by or under [F3—
(a)the Data Protection Act 2018 or any other enactment, or
(b)the [F4UK GDPR].]
Textual Amendments
F1Reg. 17(2)(a) omitted (31.12.2020) by virtue of The Money Laundering and Transfer of Funds (Information) (Amendment) (EU Exit) Regulations 2019 (S.I. 2019/253), regs. 1(2), 5(2) (with savings in S.I. 2019/680, reg. 11); 2020 c. 1, Sch. 5 para. 1(1)
F2Reg. 17(2)(b) omitted (31.12.2020) by virtue of The Money Laundering and Transfer of Funds (Information) (Amendment) (EU Exit) Regulations 2019 (S.I. 2019/253), regs. 1(2), 5(2) (with savings in S.I. 2019/680, reg. 11); 2020 c. 1, Sch. 5 para. 1(1)
F3Words in reg. 17(9) substituted (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 413 (with ss. 117, 209, 210); S.I. 2018/625, reg. 2(1)(g)
F4Words in reg. 17(9)(b) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 3 para. 109 (with Sch. 3 para. 112); 2020 c. 1, Sch. 5 para. 1(1)