draft Money Laundering, Terrorist Financing and Transfer of Funds (Information
on Payer) Regulations 2017 were published on 15 March 2017. The regulations are not as long as the title sounds (or as scary) but failure to take note of the changes can expose firms to prosecution or disciplinary action. Firms with Lexcel should renew their AML policies to ensure compliance with the new regulations.
1 Risk assessment
Firms doing work in the regulated sector will have to carry out a risk assessment and provide that risk assessment to the Solicitors Regulation Authority (SRA) on request.
The Money Laundering Regulations 2007 (MLR) required firms to keep policies relating to risk assessment. The 2017 Regulations are much more prescriptive. Firms must now:
- Set out the procedure (undertaken by a relevant person) to analyse the business's potential exposure to money laundering or terrorist financing
- Demonstrate and document that risk assessments are conducted, kept up to date and take into account risk factors including those relating to their customers, countries or geographic areas, products, services, transactions or delivery channels
2 Policies and procedures
Revised reporting, record keeping and monitoring processes are now required, meaning that the relevant person in a firm must produce a written AML risk report that is then translated into written policies.
3 Group level and internal controls
- Firms which are parent undertakings will be required to apply their policies, controls, and procedures to their subsidiaries and branches in the UK and overseas. Subsidiaries and branches in EEA states must comply with the national law while subsidiaries and branches in third countries with less strict regimes must follow equivalent measures to those required by the regulations
- Firms will also be required to establish and maintain group controls and procedures for data protection and the sharing of information for the purposes of preventing money laundering and terrorist financing.
For internal purposes a firm must:
- Appoint a member of the board or management body to be responsible for compliance
- Screen employees and other agents that carry out work relevant to the firm's AML procedures
- Establish an independent audit function to assess the efficacy of the firm's policies and procedures and to make recommendations to monitor compliance with the regulations
These requirements are proportionate depending on the size and nature of the firm's business - not all firms will need to have all of these controls in all circumstances.
4 Customer due diligence
The circumstances in which simplified customer due diligence (CDD) is permissible will become more restricted - in a significant departure from the Money Laundering Regulations 2007 'automatic' simplified due diligence for certain transactions will end. Instead, a relevant person will need to consider both customer and geographical risk factors in deciding whether simplified due diligence is appropriate.
The exemption from enhanced CDD is not automatic, and the decision to apply simplified CDD should be backed up by documentation. The Law Society has warned that some of these situations will create an undue burden on firms, particularly in the case of pooled client accounts.
5 Enhanced due diligence
Another major change is the creation of a list of high risk jurisdictions which, if involved in a transaction, will make enhanced due diligence (EDD) and additional risk assessment compulsory.
- Firms must also identify and verify the identity of a person purporting to act on behalf of the customer
- Relevant persons will still be able to rely on the CDD carried out by a third party if that third party is either subject to the MLR 2017 or an equivalent regime. However, the conditions for doing so are more prescriptive
6 Measures for local politically exposed persons
The parts of MLR 2007 which applied only to foreign politically exposed persons (PEPs) will now also apply to local PEPs and include domestic individuals occupying prominent public positions. This will broaden the scope of application of enhanced due diligence checks.
- Firms will need to review their existing client portfolio to identify any domestic PEPs and to apply enhanced due diligence accordingly.
Regular training to relevant employees and agents is crucial to ensure they are made aware of the law relating to money laundering, terrorist financing and data protection. Firms will be able to refer to the revised Law Society AML practice note for more information on how to satisfy these requirements (the note will be published by the end of June).
8 Approval requirements for beneficial owners
Corporate bodies and other legal entities will be required to maintain accurate and current information on their beneficial ownership.
- Beneficial owners, officers or managers of a firm must apply to the SRA for approval by 26 June 2018. They will be approved unless the person has been convicted of a relevant offence
9 Record keeping and data retention
- Firms will be required to retain records of CDD documents and supporting evidence for at least five years after the end of the business relationship or occasional transaction.
- At the end of five years, there is a requirement to delete personal data (unless express consent is given to retain that data) or if the firm is otherwise required to retain the personal data (ie for the purposes of court proceedings).
- You will need to amend your systems and procedures to ensure that, unless an exemption applies, such personal data is deleted
Your 'to do' list
How should you start? First steps:
- Initiating and documenting a risk-based assessment of money laundering
- Training staff on how to access the beneficial ownership registry
- Updating policies and procedures to reflect the changes
- Adding an audit function to test procedures
- A review of all new policies by senior management
Explore our AML resources
Watch the AML Update webinar about the new Money Laundering Regulations 2017 with Jonathan Fisher QC, Bright Line Law. Free for Risk and Compliance members