This quick guide provides a brief overview of the key issues firms will need to be aware of and the changes they will have to implement in order to comply with the regulations.
The new regulations
The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the regulations), which transpose the Fourth EU Money Laundering Directive into UK law, were laid before parliament on 22 June and commenced on 26 June.
Although the Fourth Directive was finalised in June 2015, a draft version of the regulations was only released in March 2017 and the regulations themselves were only laid before parliament one working day prior to commencement (breaking the '21 day rule' for statutory instruments).
As such, firms have had a very limited time in which to prepare for the new regulations, while supervisory authorities have only had a short window in which to update their anti-money laundering (AML) guidance.
The Legal Sector Affinity Group, which represents the legal sector AML supervisors and includes the Solicitors Regulation Authority (SRA), has informed HM Treasury that they intend to take sensible and pragmatic approach to AML supervision following the commencement of the new regulations, allowing legal professionals a period of time to adapt the new requirements. The Legal Sector Affinity Group is also producing a new, single piece of AML guidance based on the Law Society's AML practice note to apply across the entire legal sector. You can read more about the current status of the new AML guidance and the Legal Sector Affinity Group's approach to supervision in the practice note.
What you need to do
Conduct a money laundering and terrorist financing risk assessment
Under regulation 18 you must carry out a written risk assessment to identify and assess the risk of money laundering and terrorist financing that your firm faces. This will:
- assist you in developing policies, procedures and controls to mitigate the risk of money laundering and terrorist financing
- help you apply a risk based approach to detecting and preventing money laundering and terrorist financing and
- inform your assessment of the level of risk associated with particular business relationships and transactions and enable you to make appropriate risk-based decisions about clients and retainers.
In carrying out your risk assessment you must take into account information on money laundering and terrorist financing risks made available to you by the Law Society and/or the SRA, and risk factors relating to:
- your customers
- the countries or geographic areas where your firm operates
- your produces and services
- your transactions and
- your delivery channels
Things you should consider include (but are not limited to):
- whether you have a high client turnover or a stable client base
- whether you have clients based in jurisdictions where there is a higher risk of money laundering or terrorist financing
- whether you have clients who operate in sectors that, by their nature, pose a higher risk of money laundering
- whether and how often you act for politically exposed persons
- whether and how often you act for clients without meeting them
- the types of work your firm undertakes
Your risk assessment should also consider the steps you have taken to mitigate the risks of money laundering and terrorist financing that your firm faces.
back to top
Implement systems, policies, controls and procedures to address money laundering and terrorist financing risks and meet the requirements under the regulations
You must establish and maintain written policies, controls and procedures to effectively manage and mitigate the money laundering and terrorist financing risks identified in your risk assessment. These must be proportionate to the size and nature of your business, approved by senior management, regularly reviewed and updated and communicated internally within your firm.
Your policies controls and procedures must cover:
- your risk management practices
- the controls you have adopted in accordance with regulation 21 to 24 (or, where appropriate, why you have not adopted those controls)
- how you conduct customer due diligence
- your reporting and record keeping systems
- monitoring, internally communicating and managing compliance with your firms policies controls and procedures
- the identification and scrutiny of complex and unusually large and unusual patterns of transactions that have no apparent economic or legal purpose and other activities you think are likely to be related to money laundering or terrorist financing
- the taking of additional measures, where appropriate, to prevent money laundering or terrorist financing in relation to products and services that favour anonymity
- taking appropriate steps to assess and, if necessary, mitigate the risk of money laundering and terrorist financing when you adopt new technology
- the making of disclosures under part 3 of the Terrorism Act 2000 and part 7 of the Proceeds of Crime Act 2002.
Your systems, policies, procedures and controls should be risk-based, which means that you should focus your resources on the areas that present the greatest threat of money laundering and terrorist financing. A risk-based approach will allow you to use your resources most efficiently and effectively, minimise compliance costs and burdens on clients and respond flexibly to new developments in money laundering and terrorist financing.
back to top
Apply your policies, procedures and controls across your firm’s group structure (if relevant)
If your firm is part of a wider group structure, you will need to ensure that your policies, controls and procedures apply to:
- all subsidiary undertakings, including those outside the UK, and
- all branches established outside the UK which carry out activities that would be regulated if carried out in the UK.
Your subsidiaries or branches located in EEA states must follow the national law implementing the Fourth Directive, while those located in states outside the UK that do not have anti-money laundering and terrorist financing law as strict as those in the UK must apply measures equivalent to those required under UK law insofar as it is possible to do so.
back to top
Adopt appropriate internal controls
The regulations provide that, where appropriate with regard to the size and nature of your business, you must:
- Appoint a person at the level of the board of directors, equivalent management body or 'senior management' to be responsible for compliance with the regulations. A person will meet the definition of senior management if they have sufficient knowledge of your firm's money laundering and terrorist financing risk exposure and sufficient authority to take decisions affecting your firm's risk exposure.
- Carry out screening of relevant employees prior to their appointment and during the course of their appointment.
- Establish an independent audit function to examine, evaluate and make recommendations about the adequacy of your policies controls and procedures and monitor your firm's compliance with them.
The requirement to appoint an officer responsible for compliance with the regulations is additional to your obligation to appoint an MLRO and a COLP, though the same person can hold more than one of those roles. You will need to inform the SRA of the identity of your MLRO and your officer responsible for compliance with the regulations within 14 days of their appointment.
You may already undertake some level of screening in relation to your staff, but you will need to ensure that this includes an assessment of their skills, knowledge and expertise to carry out their functions effectively and an assessment of their conduct and integrity.
The regulations do not state that the independent audit function has to be external to your firm, but it should be independent of the specific function being reviewed.
You must also ensure that you establish and maintain systems that allow you to 'respond fully and rapidly' to enquiries from law enforcement as to whether you have had a business relationship with a person in the last five years and the nature of that relationship (subject, of course, to any constraints arising out of legal professional privilege).
back to top
Provide training to staff
As with the Money Laundering Regulations 2007, you will need to provide staff with appropriate training on money laundering and terrorist financing. This now includes an obligation to make staff aware of the law on data protection, insofar as it is relevant to the implementation of the regulations.
Apply for approval if you are the beneficial owner, officer or manager of a firm
The 'beneficial owners, officers or managers' of your firm will have a year to apply to the SRA for approval, which must be granted unless they have been convicted of a relevant offence. Acting as a beneficial owner, officer or manager of a firm without approval after 26 June 2018 is a criminal offence (unless you have applied for approval and it has yet to be determined). You will also need to apply for SRA approval if you are a sole practitioner.
We will provide further information about the process for applying for approval once it has been made available by the SRA.
back to top
Comply with new customer due diligence, enhanced due diligence and simplified due diligence requirements
Customer due diligence (CDD)
Under the regulations you are required to:
- identify your client and verify their identity on the basis of a reliable independent source (such as a passport)
- where applicable, identify the beneficial owners of the client, take reasonable measures to verify their identity so you know who they are and, if the beneficial owner is an entity or legal arrangement, take reasonable measures to understand its ownership and control structure
- assess and where appropriate obtain information on the purpose and intended nature of the business relationship or transaction and
- identify and verify the identity of a person who purports to act on behalf of a client and verify that they are authorised to act on behalf of the client.
The way you comply with the requirement to take CDD measures may differ from case to case but must reflect both your firm's risk assessment and your assessment of the level of risk arising in the particular case.
The new regulations are more prescriptive than the 2007 regulations when it comes to carrying out CDD checks on corporate bodies. Where your client is a corporate body, you must obtain and verify:
- its name
- its company number or other registration and
- the address of its registered office and, if different, its principal place of business.
In addition, unless the corporate body is a company listed on a regulated market, you must take reasonable measures to determine and verify:
- the law to which it is subject and its constitution or other governing documents and
- the names of the board of directors (or equivalent management body) and the senior persons responsible for its operations.
Regulation 43(1) imposes an obligation on corporate bodies (other than companies listed on a regulated marker) to provide you with the information outlined above when you enter into a transaction or form a business relationship with them, which should assist you in carrying out your CDD checks.
Enhanced due diligence (EDD)
Regulation 33(1) sets out a list of circumstances in which EDD measures must be applied, which includes any transaction or business relationship involving a person established in a 'high risk third country', any transaction or business relationship involving a 'politically exposed person' (PEP) or a family member or known associate of a PEP and any other situation that presents a higher risk of money laundering or terrorist financing.
Regulation 33(6) sets out a list of factors that must be taken into account in assessing whether there is a higher risk of money laundering and terrorist financing present in a given situation and the extent of EDD measures that should be applied. While you must take these factors into account, you should consider the situation as a whole and bear in mind that the presence of one or more of the risk factors identified in 33(6) is not in and of itself determinative of a higher risk situation.
Under the regulations EDD measures must include, as a minimum, examining the background and purpose of the transaction and increasing your monitoring of the business relationship.
Simplified due diligence (SDD)
Simplified due diligence is permitted where you determine that the business relationship or transaction presents a low risk of money laundering or terrorist financing, taking into account your risk assessment. This is a change from the Money Laundering Regulations 2007, under which SDD was the default option for a defined list of entities.
Regulation 37(3) sets out a list of factors to be taken into account in determining whether a situation poses a lower risk of money laundering or terrorist financing, such that SDD measures can be applied. However, you should be aware that the presence of one or more of the factors in 37(3) is not necessarily indicative that a given situation is lower risk.
back to top
Comply with requirements relating to politically exposed persons
Politically exposed persons (PEPs) have been a focus for FATF and the EU in recent years due to growing concerns about PEPs using their political positions to corruptly enrich themselves.
Under the regulations you are required to have appropriate risk management systems and procedures in place to determine whether a client, or the beneficial owner of a client is PEP, or a family member of known close associate of a PEP. You will also need to have appropriate risk management systems and procedures in place to manage the enhanced risks arising from your relationship with the client.
If you have a business relationship with a PEP or a family member or a known close associate of a PEP you must, as a minimum:
- have senior management approval for establishing or continuing the business relationship
- take adequate measures to establish source of wealth and source of funds involved in the business relationship or transaction
- conduct enhanced ongoing monitoring of the business relationship.
A PEP is defined in regulation 35(12) and, unlike under the Money Laundering Regulations 2007, the definition includes UK PEPs.
back to top
Ensure your record keeping and data protection systems, policies and procedures meet the requirements of the regulations
Under regulation 40 you must keep a copy of the documents and information you obtained to fulfil your CDD obligations and sufficient supporting records of the transaction to enable it to be reconstructed for a period of five years following the completion of the transaction or the end of the business relationship. At the end of the five-year period you must delete any personal data in those records unless:
- you are required to retain records containing person data under an enactment or for the purposes of court proceedings or you have reasonable grounds for believing the records need to be retained for legal proceedings, or
- you have the consent of the person whose data it is.
Under regulation 41 you may not process personal data obtained for the purposes of the regulations for any other purpose unless it is permitted under an enactment or you have the consent of person whose data it is. In addition, you must provide new clients with:
- the information specified in paragraph 2(3) of Part 2 of Schedule 1 to the Data Protection Act 1998 and
- a statement that any personal data received from the client will only be processed for the purposes of the preventing money laundering or terrorist financing unless permitted by an enactment or unless they provide consent.
You should consider whether you need to update your client care letters and/or terms of business as a result of the regulations.
back to top
Comply with new obligations relating to record keeping and the provision of information about beneficial ownership if you act as a trustee of a relevant trust
Part 5 of the regulations imposes obligations on trustees of relevant trusts to:
- maintain accurate and up to date written records of the beneficial owners and potential beneficiaries of the trust
- inform a relevant person that you are acting as a trustee and provide them with information on the beneficial owners and potential beneficiaries of a trust when you enter into a relevant transaction or business relationship, and
- provide certain information to HM Revenue and Customs, which will then be recorded on a beneficial ownership register maintained by HM Revenue and Customs.
For the purposes of Part 5 of the regulations, a relevant trust is a UK express trust or an offshore express trust which is liable, even if only occasionally, to one or more of UK income tax, capital gains tax, inheritance tax, stamp duty land tax, land and buildings transaction tax or stamp duty reserve tax because the trust’s assets or income include some UK source income or UK assets.
back to top