Money Laundering Regulations 2017

The government has implemented The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 that transpose the European Union’s Fourth Anti Money Laundering Directive into UK law. The regulations were effective from 26 June 2017.

The regulations are:

  • more prescriptive than previous legislation
  • require the risk assessment of the business as a whole, including:
    * customer risk
    * geographic risk
    * product risk
    * transactions and delivery channel risk.

The regulations build on the current regulatory framework, although there are some specific, and potentially significant, changes that you need to be aware of.

CCAB has issued guidance for the accountancy sector.

Money laundering regulations: overview

Whole-firm risk assessment (s.18)

Identifying and assessing risk was an important theme running through the Money Laundering Regulations 2007 (MLR07), and firms were encouraged to assess the risks faced by the business, as well as the risk that clients would be involved in money laundering or terrorist financing.

The regulations set out a more prescriptive approach to this firm-wide risk assessment. There is a requirement for a written risk assessment (that we can ask you to submit to us) and a list of factors that you must take into account. These are:

  • information provided by your supervisory authority on risk factors in the sector
  • your customers
  • the countries or geographic areas in which you operate
  • your products or services
  • your transactions
  • your delivery channels.

You can continue to use chapter 4 of the CCAB guidance to help you perform your risk assessment. This chapter encourages you to design the nature and extent of your AML procedures based on:

  • the nature, scale, complexity and diversity of your business
  • the geographical spread of your client operations, including any local AML regimes that apply
  • the extent to which operations are linked to other organisations (such as networking businesses, agencies or outsourcing suppliers).

The regulations accept that the nature of the risk assessment will depend on the size and nature of your firm. The overall risk assessment of a small firm may be quite succinct; the most important part is that you properly identify and assess the risk of money laundering or terrorist financing and that your assessment is documented. 

Internal controls: officer responsible for compliance (s.21a)

Firms must now appoint a money laundering compliance principal (MLCP) and that individual must be on the board of directors (or equivalent management body), or a member of senior management, where appropriate to the size and nature of the business.

Firms must also appoint a nominated officer (ie the individual nominated to receive internal suspicious activity reports and who assesses whether a suspicious activity report should be made to the National Crime Agency (NCA)).

The MLCP and the nominated officer can be the same person but the identities of each need to be communicated  to your supervisory body within 14 days of first appointment.

All firms currently have a money laundering reporting officer under MLR07; you now need to make sure that this individual is on the board of directors (or equivalent management body), or is a member of senior management, and that they have responsibility for compliance with the regulations.

Internal controls: screening of relevant employees (s.21b)

Where appropriate to the size and nature of the business, firms must now assess the skills, knowledge, conduct and integrity of those employees who are involved in identifying, mitigating, preventing or detecting money laundering and terrorist financing in the course of business. This includes those staff whose work is relevant to compliance with the regulations.

You will already assess your staff for competence, conduct and integrity. You must now make sure that these assessments include money laundering.

You must also regularly train your staff in how to recognise and deal with transactions and other activities that may be related to money laundering or terrorist financing. 

Internal controls: independent audit function (s.21c)

The draft regulations say that firms must establish an independent audit function to assess the adequacy and effectiveness of the firm’s AML policies, controls and procedures.

You should already be performing a money laundering compliance review, which we believe addresses the requirement for an independent audit function. You should make sure that your money laundering compliance principal is responsible for performing this review. You should perform a compliance review regularly and, where you identify any recommendations, you must monitor the firm’s compliance with these recommendations. 

Policies, controls and procedures (s.19 and s.20)

MLR07 required firms to have policies, controls and procedures to prevent activities related to money laundering and terrorist financing, as well as data protection requirements. A written record of training must be maintained.

The regulations build on these by requiring you to document these policies, controls and procedures and your senior management to approve them.

There is also a new requirement for firms with overseas subsidiaries and branches to establish group-wide policies and procedures that comply with UK requirements:

  • If you have a subsidiary or branch that operates in a European Economic Area (EEA) state, you must make sure that the subsidiary or branch complies with the money laundering laws of that state.
  • If you have a subsidiary or branch that operates outside of the EEA, then you must make sure that the subsidiary or branch complies with the UK regulations. Where this is not possible because of local legislation you must inform and implement additional procedures to address the money laundering risk. 

Client due diligence (CDD)

The regulations keep the core requirement that you must perform client due diligence before you establish a business relationship and when you identify any factors relevant to your risk assessment that have changed. These may include:

  • your client’s identity has changed
  • you have identified a transaction that isn’t consistent with your knowledge of your client
  • the services you are providing to your client have changed.

You must still identify and verify the owner and the beneficial owner but the regulations state that you can’t rely solely on Companies House.

There are three key changes to the CDD requirements:

  • You must now also complete CDD where you only perform company formation services, even if that service is a one-off service for that client (s.4(2)).
  • You must also identify and verify the identity of a person purporting to act on behalf of your client.
  • You must obtain and verify the name of the body corporate, its registration number, its registered address and principal place of business. You must also take reasonable measures to determine and verify the law to which it is subject, its constitution (set out in governing documents) and the names of the board of directors and its senior management (s.28(3)).

Simplified due diligence (SDD) (s.37)

Under MLR07, SDD was the default option for a defined list of entities – for example, listed companies.

Instead, the regulations now embed SDD into the risk-based approach. You must still perform CDD but you may limit that due diligence based on whether you think SDD is appropriate. The regulations gives a list of low-risk factors where SDD may be appropriate, which is similar to the list of entities in MLR07 (ie credit or financial institutions) but also includes customers in geographical areas of lower risk.

Enhanced due diligence (EDD) (s.33)

The rules around EDD are significantly different under the regulations. There is a defined list of situations where you must apply EDD. These are:

  • where there is a high risk of money laundering or terrorist financing
  • in any business relationship with a client established in a high-risk country
  • if the client is a politically exposed person (PEP), or a family member or known close associate of a PEP
  • in any case where the client has provided false or stolen identification documentation or information on establishing a relationship
  • in cases where you identify that the client has entered into transactions that are complex and unusually large, or there is an unusual pattern of transactions, and the transaction or transactions have no apparent economic or legal purpose.

If your risk assessment identifies that you should carry out EDD, then you must, as a minimum:

  • As far as reasonably possible, understand the background and purpose of the transaction.
  • Increase the degree and nature of monitoring of the business relationship to determine whether the transaction or your business relationship are suspicious.

You may also choose to perform one of the following measures:

  • Seek additional independent, reliable sources to verify information the client has provided to you.
  • Take additional measures to understand better the background, ownership and financial situation of your client, and other parties to the transaction.
  • Take further steps to satisfy yourself that the transaction is consistent with the purpose and intended nature of the business relationship.
  • Increase your monitoring of the business relationship, including greater scrutiny of transactions.

The regulations give a list of risk factors that might indicate that there is a high risk of money laundering or terrorist financing. You should consider these when assessing if EDD might be appropriate (s.33).

Risk factors

Customer risk factors

  • The business relationship is conducted in unusual circumstances.
  • The customer is resident in a geographical area considered to be an area of high risk.
  • The customer is a legal person or arrangement that is a vehicle for holding personal assets.
  • The customer is a company that has nominee shareholders or bearer shares.
  • The customer is a business that is cash intensive.
  • The corporate structure of the customer is unusual or excessively complex given the nature of the company’s business.

Product, service, transaction or delivery channel risk factors

  • The product involves private banking.
  • The product or transaction is one that might favour anonymity.
  • The situation involves non-face-to-face business relationships or transactions without certain safeguards such as electronic signatures.
  • Payments will be received from unknown or un-associated third parties.
  • New products and new business practices are involved, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products.
  • The service involves the provision of nominee directors, nominee shareholders or shadow directors, or the formation of companies in third countries.

Geographical risk factors

  • countries identified by credible sources, such as mutual evaluations, detailed assessment reports or published follow-up reports, as not having effective systems to counter money laundering and terrorist financing
  • countries identified by credible sources as having significant levels of corruption or other criminal activity
  • countries subject to sanctions, embargoes or similar measures issued by, for example, the European Union (EU) or the United Nations
  • countries providing funding or support for terrorism
  • countries that have organisations designated by the UK, the EU or other countries/international organisations as terrorist organisations.

Typically for companies the information would include:

  • name of the body corporate
  • its registration number
  • its registered address
  • principal place of business
  • the law to which it is subject
  • its memorandum of association and governing documents
  • the names of the board of directors and its senior management
  • companies need to respond to CDD requests within two working days
  • companies need to inform of changes within two days
  • company formation is a business relationship subject to CDD.


Politically exposed persons (PEP)

The regulations require you to have procedures in place that will identify whether a client, or the beneficial owner of a client, is a PEP or a family member or known close associate of a PEP.

A family member of a PEP includes their spouse, civil partner, children and parents.

A known close associate of a PEP means:

  • an individual known to have joint beneficial ownership of a legal entity or a legal arrangement or any other close business relations with a PEP
  • an individual who has sole beneficial ownership of a legal entity or a legal arrangement which is known to have been set up for the benefit of a PEP.

When you identify a potential client is a PEP, you must assess the level of risk associated with your client and the extent of any EDD that you should perform on that client. As a minimum, you must:

  • obtain senior management approval for the relationship
  • take adequate measures to establish the source of wealth and funds
  • perform enhanced ongoing monitoring of the relationship.

When a client ceases to be a PEP, you must continue to apply your EDD procedures for at least 12 months (or longer if necessary to address the risk of money laundering or terrorist financing). However, if your client is a family member or known associate of a PEP, you can stop applying EDD procedures as soon as the PEP status ends.

In determining whether someone is a known close associate of a PEP, obliged entities are allowed to rely on information they already hold or that which is freely available in the public domain.

Reliance on third parties (s.39)

If you place reliance on the CDD of a third party, or if a third party places reliance on your CDD, you need to be aware of the changes under the regulations.

If you are relying on a third party, you must obtain copies of all relevant documentation. You must also enter into a written arrangement that confirms that the firm being relied on will provide the relevant documentation immediately on request.

In summary, for reliance on third parties for CDD:

  • written agreement is needed
  • the third party must retain documents and make them available within two working days of request by those relying.