The government has implemented the European Union’s Fourth Anti Money Laundering Directive, effective from 26 June 2017
The government has implemented The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 that transpose the European Union’s Fourth Anti Money Laundering Directive into UK law. The regulations were effective from 26 June 2017.
The regulations are:
The regulations build on the current regulatory framework, although there are some specific, and potentially significant, changes that you need to be aware of.
CCAB has issued draft guidance.
Identifying and assessing risk was an important theme running through the Money Laundering Regulations 2007 (MLR07), and firms were encouraged to assess the risks faced by the business, as well as the risk that clients would be involved in money laundering or terrorist financing.
The regulations set out a more prescriptive approach to this firm-wide risk assessment. There is a requirement for a written risk assessment (that we can ask you to submit to us) and a list of factors that you must take into account. These are:
You can continue to use chapter 4 of the CCAB guidance to help you perform your risk assessment. This chapter encourages you to design the nature and extent of your AML procedures based on:
The regulations accept that the nature of the risk assessment will depend on the size and nature of your firm. The overall risk assessment of a small firm may be quite succinct; the most important part is that you properly identify and assess the risk of money laundering or terrorist financing and that your assessment is documented.
Firms must now appoint a money laundering compliance principal (MLCP) and that individual must be on the board of directors (or equivalent management body), or a member of senior management, where appropriate to the size and nature of the business.
Firms must also appoint a nominated officer (ie the individual nominated to receive internal suspicious activity reports and who assesses whether a suspicious activity report should be made to the National Crime Agency (NCA)).
The MLCP and the nominated officer can be the same person but the identities of each need to be communicated to your supervisory body within 14 days of first appointment.
All firms currently have a money laundering reporting officer under MLR07; you now need to make sure that this individual is on the board of directors (or equivalent management body), or is a member of senior management, and that they have responsibility for compliance with the regulations.
Where appropriate to the size and nature of the business, firms must now assess the skills, knowledge, conduct and integrity of those employees who are involved in identifying, mitigating, preventing or detecting money laundering and terrorist financing in the course of business. This includes those staff whose work is relevant to compliance with the regulations.
You will already assess your staff for competence, conduct and integrity. You must now make sure that these assessments include money laundering.
You must also regularly train your staff in how to recognise and deal with transactions and other activities that may be related to money laundering or terrorist financing.
The draft regulations say that firms must establish an independent audit function to assess the adequacy and effectiveness of the firm’s AML policies, controls and procedures.
You should already be performing a money laundering compliance review, which we believe addresses the requirement for an independent audit function. You should make sure that your money laundering compliance principal is responsible for performing this review. You should perform a compliance review regularly and, where you identify any recommendations, you must monitor the firm’s compliance with these recommendations.
MLR07 required firms to have policies, controls and procedures to prevent activities related to money laundering and terrorist financing, as well as data protection requirements. A written record of training must be maintained.
The regulations build on these by requiring you to document these policies, controls and procedures and your senior management to approve them.
There is also a new requirement for firms with overseas subsidiaries and branches to establish group-wide policies and procedures that comply with UK requirements:
The regulations keep the core requirement that you must perform client due diligence before you establish a business relationship and when you identify any factors relevant to your risk assessment that have changed. These may include:
You must still identify and verify the owner and the beneficial owner but the regulations state that you can’t rely solely on Companies House.
There are three key changes to the CDD requirements:
Under MLR07, SDD was the default option for a defined list of entities – for example, listed companies.
Instead, the regulations now embed SDD into the risk-based approach. You must still perform CDD but you may limit that due diligence based on whether you think SDD is appropriate. The regulations gives a list of low-risk factors where SDD may be appropriate, which is similar to the list of entities in MLR07 (ie credit or financial institutions) but also includes customers in geographical areas of lower risk.
The rules around EDD are significantly different under the regulations. There is a defined list of situations where you must apply EDD. These are:
If your risk assessment identifies that you should carry out EDD, then you must, as a minimum:
You may also choose to perform one of the following measures:
The regulations give a list of risk factors that might indicate that there is a high risk of money laundering or terrorist financing. You should consider these when assessing if EDD might be appropriate (s.33).
Typically for companies the information would include:
The regulations require you to have procedures in place that will identify whether a client, or the beneficial owner of a client, is a PEP or a family member or known close associate of a PEP.
A family member of a PEP includes their spouse, civil partner, children and parents.
A known close associate of a PEP means:
When you identify a potential client is a PEP, you must assess the level of risk associated with your client and the extent of any EDD that you should perform on that client. As a minimum, you must:
When a client ceases to be a PEP, you must continue to apply your EDD procedures for at least 12 months (or longer if necessary to address the risk of money laundering or terrorist financing). However, if your client is a family member or known associate of a PEP, you can stop applying EDD procedures as soon as the PEP status ends.
In determining whether someone is a known close associate of a PEP, obliged entities are allowed to rely on information they already hold or that which is freely available in the public domain.
If you place reliance on the CDD of a third party, or if a third party places reliance on your CDD, you need to be aware of the changes under the regulations.
If you are relying on a third party, you must obtain copies of all relevant documentation. You must also enter into a written arrangement that confirms that the firm being relied on will provide the relevant documentation immediately on request.
In summary, for reliance on third parties for CDD: