The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations replaced the Money Laundering Regulations 2007 with updated provisions that implement in part the EU Fourth Money Laundering Directive, which in turn applied the latest Financial Action Task Force (FATF) standards. The FATF is an inter-governmental body that sets the international standards for combating money laundering, terrorist financing and other related threats to the integrity of the international financial system. This article will look at the changes introduced by the new regulations and in doing so will adopt the structure of the explanatory notes accompanying the regulations.
It is estimated that over 100,000 businesses in the UK are covered by the money laundering regime and the regulations are deliberately not totally prescriptive, electing for flexibility in order to promote a proportionate and effective risk-based approach on the assumption that the businesses concerned are best place to know their customers and manage their risks. The regulations, however, do introduce more specific requirements in relation to how levels of risk are to be assessed.
The regulations apply to financial institutions and gatekeepers’ to the financial system. It therefore covers accountants, auditors, legal advisers and tax advisers. Essentially, those covered by MLR 2017 remain the same as under the previous rules. However, it should be noted that the 2017 regulations have raised the base level for their general application from £64,000 to £100,000.
Regulation 4 also makes it clear that where a relevant person (ie one covered by the regulations) is asked to form a company for a customer, that is to be treated as a business relationship for the purpose of the regulations, whether or not the formation of the company is the only transaction carried out for that customer.
High value dealers – ie any business or sole trader that accept or makes high value cash payments in exchange for goods – remain covered by the regulations but the threshold for eligible transactions (either in one transaction or a series of linked transactions) comes down from 15,000 to 10,000 Euro (reg 14).
A risk-based approach, or risk-management practices as it is referred to in the outcome H1c(i) of the LW (ENG) and (GLO) study guide, underpins all supervisory action. At the national level, this is conducted by HM Treasury and the Home Office (reg 16). At the level of supervisory authorities responsible for the oversight of particular sectors, they will be required to conduct an assessment of risk across the businesses sector they regulate and take appropriate action, such as reviewing risk profiles at regular intervals, especially if circumstances change (reg 17).
At the individual enterprise level, any relevant individual (ie one covered by the regulations no matter their legal form) must make an assessment as to the risk of the likelihood of money laundering arising (reg 18) and is required to keep an up-to-date record in writing of all the steps taken in this regard, unless its supervisory authority notifies it in writing that such a record is not required. In making such an assessment, the following matters must be taken into account:
(a) information made available to them by the supervisory authority
(b) risk factors including factors relating to:
(i) its customers
(ii) the countries or geographic areas in which it operates
(iii) its products or services
(iv) its transactions, and
(v) its delivery channels.
The regulations clearly recognise that the potential risk of money laundering taking place will depend on the size and nature of the business and following the assessment of potential risk, the individual or business entity is required to put into place: policies, controls and procedures to manage and mitigate the risks of money laundering. The regulations allow for different strategies and approaches to be adopted by different enterprises, as long as they are appropriate and proportionate to the potential risk. The individual/enterprise is required to regularly review and update the policies, controls and procedures established and must maintain a record, in writing, of those policies, controls and procedures (reg 19).
These matters, included in outcome H1)c)ii) of the LW (ENG) and (GLO) study guide, are governed by regulation 21 to the following effect:
(1) Officer responsible for compliance
Where appropriate with regard to the size and nature of its business, a relevant person must appoint one individual who is a member of the board of directors or of its senior management as the officer responsible for the relevant person’s compliance with the regulations. This person bears the tile money laundering compliance principal (MLCP). This role is distinct from the existing role of money laundering reporting officer (MLRO) who is the person nominated to receive internal suspicious activity reports and who assesses whether a suspicious activity report should be made to the National Crime Agency (NCA)) However, where this person is sufficiently senior in the management structure they can combine the roles and functions of MLCP and MLRO. Sole practitioners with no employees are obviously not bound by this this requirement.
(2) Screening of relevant employees
Again, where appropriate to the size and nature of the business, a relevant person is required to assess the skills, knowledge, conduct and integrity of those employees who are involved in identifying, mitigating, preventing or detecting money laundering in the course of business.
Regulation 24 requires a relevant person to ensure that its relevant employees are:
(i) made aware of the law relating to money laundering and terrorist financing, and to the requirements of data protection, which are relevant to the implementation of these regulations
(ii) regularly given training in how to recognise and deal with transactions and other activities or situations which may be related to money laundering or terrorist financing;
(b) maintain a record in writing of the measures taken under sub-paragraph (a), and in particular, of the training given to its relevant employees.
Where required under regulation 27, customer due diligence, as included in outcome H1)c)iii) of the LW (ENG) and (GLO) study guide, must be carried in all circumstances and the following steps must be taken (reg 28):
(a) identify the customer unless the identity of that customer is known to, and has been verified by, the relevant person
(b) verify the customer’s identity unless the customer’s identity has already been verified by the relevant person, and
(c) assess, and where appropriate obtain information on, the purpose and intended nature of the business relationship or occasional transaction.
Where the customer is a body corporate, the relevant person must obtain and verify:
(i) the name of the body corporate
(ii) its company number or other registration number
(iii) the address of its registered office, and if different, its principal place of business;
The Regulations, however, recognise that, depending on their circumstances, individuals and businesses will not need to apply the same levels of due diligence to ensure money laundering is not taking place. Consequently they introduce two levels of due diligence based on the level of perceived risk:
(1) Simplified due diligence (SDD under reg 37)
This arises where the regulations require the performance of CDD, but the object of the CDD complies with a prescribed list of low risk factors, including such factors as whether the customer:
(i) is a public administration, or a publicly owned enterprise
(ii) is an individual resident in a geographical area of lower risk
(iii) is a credit institution or a financial institution which is otherwise appropriately regulated or supervised.
(2) Enhanced due diligence (EDD) (reg 33)
Regulation 33 establishes a list of situations where EDD must be applied by the relevant person. Among these are the following:
When assessing whether there is a high risk of money laundering in a particular situation, and the extent of the measures which should be taken to manage and mitigate that risk, relevant persons must take account of risk factors including, among other things:
(a) customer risk factors, including whether:
(i) the business relationship is conducted in unusual circumstances
(ii) the customer is resident in a geographical area of high risk (see sub-paragraph (c))
(iii) the customer is a legal person or legal arrangement that is a vehicle for holding personal assets
(iv) the customer is a company that has nominee shareholders or shares in bearer form
(v) the customer is a business that is cash intensive
(vi) the corporate structure of the customer is unusual or excessively complex given the nature of the company’s business
(b) product, service, transaction or delivery channel risk factors, including whether:
(i) the product involves private banking
(ii) the product or transaction is one which might favour anonymity
(iii) the situation involves non-face-to-face business relationships or transactions, without certain safeguards, such as electronic signatures
(iv) payments will be received from unknown or unassociated third parties
(v) new products and new business practices are involved, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products
(vi) the service involves the provision of nominee directors, nominee shareholders or shadow directors, or the formation of companies in a third country
(c) geographical risk factors, including:
(i) countries identified by credible sources, such as mutual evaluations, detailed assessment reports or published follow-up reports, as not having effective systems to counter money laundering or terrorist financing
(ii) countries identified by credible sources as having significant levels of corruption or other criminal activity, such as terrorism (within the meaning of s1 Terrorism Act 2000(86)), money laundering, and the production and supply of illicit drugs
(iii) countries subject to sanctions, embargos or similar measures issued by, for example, the European Union or the United Nations.
If risk assessment identifies the need for EDD, then the following measures MUST be taken:
Reliance and record keeping
These matters are included in outcome H1)c)iv) of the LW (ENG) and (GLO) study guide.
Reliance on a third party (reg 39)
A relevant person may rely on an appropriate third party’s due diligence measures, but the relevant person remains liable for any failure in the third party’s application of such measures.
Records (reg 40)
Any relevant person must keep the records, such as a copy of any documents and information obtained by the relevant person to satisfy the customer due diligence requirements for a period of five years.
Part 8 of the regulations gives supervisory authorities the powers to monitor businesses operating in their sectors effectively. Part 9 empowers them to take appropriate action if needed such as imposing civil penalties, fines or statements relating to relevant persons under their authority.
The office is a new regulatory body with the general oversight pf the supervisory anti-money laundering regime and the OPBAS has duties and powers to ensure the professional body anti-money laundering supervisors meet the standards required by the Money Laundering Regulations 2017. The OPBAS operates within the Financial Conduct Authority with the stated aim of facilitating collaboration and information sharing between the professional body anti-money laundering supervisors, law enforcement and other statutory supervisory authorities.
Written by a member of the Corporate and Business Law examining team