Quick guide to the Money Laundering Regulations 2017

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) came into force in June 2017.  

Our quick guide gives you an overview of the key issues firms need to be aware of as a result of the transposition of the Fourth EU Money Laundering Directive.  

The Legal Sector Affinity Group, which represents the legal sector AML supervisors and includes the Law Society and the Solicitors Regulation Authority (SRA), has developed the anti-money laundering (AML) guidance for the legal sector. This Treasury-approved guidance provides more detail about the MLR 2017 and what is expected of firms, and should be read with this quick guide. 

The MLR 2017 will be amended again in January 2020 as the Fifth Money Laundering Directive is transposed. We’ll be publishing additional resources, including revised guidance, to help you and your firm comply.  

The MLR 2017 and what it covers 

• What the MLR 2017 does
• Legal roles covered by the MLR 2017 
• Legal roles not covered by the MLR 2017
• Legal activities not covered by the MLR 2017
• If you work elsewhere in the regulated sector 

What you need to do 

• Conduct a money laundering and terrorist financing risk assessment
• Implement systems, policies, controls and procedures to address money laundering and terrorist financing risks and meet the requirements under the MLR 2017
• Apply your policies, procedures and controls across your firm’s group structure (if relevant)
• Adopt appropriate internal controls
• Provide training to staff
• Apply for approval if you are the beneficial owner, officer or manager of a firm
• Comply with new customer due diligence, enhanced due diligence and simplified due diligence requirements
• Comply with requirements relating to politically exposed persons
• Make sure your record keeping and data protection systems, policies and procedures meet the requirements of the regulations
• Comply with new obligations relating to record keeping and the provision of information about beneficial ownership if you act as a trustee of a relevant trust

back to top

What the MLR 2017 does

The MLR 2017 sets out the additional obligations of private sector firms working in areas of higher money laundering risk.

They aim to stop criminals using professional services to launder money by requiring professionals to take a risk-based approach. Firms must put measures in place to identify their clients and monitor how they use their services.

Legal roles covered by the MLR 2017

The MLR 2017 applies to independent legal professionals.  An independent legal professional is a firm or a sole practitioner who:

• buys and sells real property or business entities 
• manages client money, securities or other assets 
• opens or manages bank, savings or securities accounts 
• organises contributions necessary for the creation, operation or management of companies 
• creates, operates or manages trusts, companies, foundations or similar structures  

Legal roles not covered by the MLR 2017

The MLR 2017 does not apply to: 

• legal professionals employed by a public authority or working in-house 
• work undertaken by a notary as a public certifying officer where they have no substantive role in the underlying transaction 

Legal activities not covered by the MLR 2017

The MLR 2017 does not apply to:

• paying costs to a legal professional
• providing legal advice 
• participation in litigation or a form of alternative dispute resolution 
• will-writing, although you should consider whether any accompanying taxation advice is covered 
• work funded by the Legal Services Commission 

You should get legal advice if you are not certain whether the MLR 2017 apply to your work. Alternatively, you may wish to follow the MLR 2017 even if you are not performing regulated work. 

If you work elsewhere in the regulated sector

You need to consider whether you offer services which make you a: 

• tax adviser 
• insolvency practitioner 
• trust or company service provider 

See regulations 11(d) and 12(2) for definitions of these roles. 

back to top

Conduct a money laundering and terrorist financing risk assessment

Under regulation 18 you must carry out a written risk assessment to identify and assess the risk of money laundering and terrorist financing that your firm faces. This will: 

• assist you in developing policies, procedures and controls to mitigate the risk of money laundering and terrorist financing 
• help you apply a risk-based approach to detecting and preventing money laundering and terrorist financing and 
• inform your assessment of the level of risk associated with particular business relationships and transactions and enable you to make appropriate risk-based decisions about clients and retainers 

When you carry out your risk assessment you must take into account information on money laundering and terrorist financing risks made available to you by the Law Society and/or the SRA, and risk factors relating to: 

• your customers 
• the countries or geographic areas where your firm operates 
• your products and services 
• your transactions and 
• your delivery channels 

Things you should consider include, but are not limited to: 

• whether you have a high client turnover or a stable client base 
• whether you have clients based in jurisdictions where there is a higher risk of money laundering or terrorist financing 
• whether you have clients who operate in sectors that, by their nature, pose a higher risk of money laundering 
• whether and how often you act for politically exposed persons 
• whether and how often you act for clients without meeting them 
• the types of work your firm undertakes 

Your risk assessment should also consider the steps you have taken to mitigate the risks of money laundering and terrorist financing that your firm faces. 

Implement systems, policies, controls and procedures to address money laundering and terrorist financing risks and meet the requirements under the MLR 2017

You must establish and maintain written policies, controls and procedures to manage and mitigate the money laundering and terrorist financing risks identified in your risk assessment. These must be:  

• proportionate to the size and nature of your business 
• approved by senior management  
• regularly reviewed and updated  
• communicated internally within your firm 

Your policies controls and procedures must cover: 

• your risk management practices 
• the controls you have adopted in accordance with regulation 21 to 24 (or, where appropriate, why you have not adopted those controls) 
• how you conduct customer due diligence 
• your reporting and record keeping systems 
• monitoring, internally communicating and managing compliance with your firm’s policies controls and procedures 
• the identification and scrutiny of complex and unusually large and unusual patterns of transactions that have no apparent economic or legal purpose and other activities you think are likely to be related to money laundering or terrorist financing 
• the taking of additional measures, where appropriate, to prevent money laundering or terrorist financing in relation to products and services that favour anonymity 
• taking appropriate steps to assess and, if necessary, mitigate the risk of money laundering and terrorist financing when you adopt new technology 
• the making of disclosures under part 3 of the Terrorism Act 2000 and part 7 of the Proceeds of Crime Act 2002 

Your systems, policies, procedures and controls should be risk-based, which means that you should focus your resources on the areas that present the greatest threat of money laundering and terrorist financing. A risk-based approach will allow you to: 

• use your resources efficiently and effectively 
• minimise compliance costs and burdens on clients  
• respond flexibly to new developments in money laundering and terrorist financing 

back to top

Apply your policies, procedures and controls across your firm’s group structure (if relevant)

If your firm is part of a wider group structure, you will need to ensure that your policies, controls and procedures apply to: 

• all subsidiary undertakings, including those outside the UK, and 
• all branches established outside the UK which carry out activities that would be regulated if carried out in the UK. 

Your subsidiaries or branches located in EEA states must follow the national law implementing the Fourth Directive, while those located in states outside the UK that do not have anti-money laundering and terrorist financing law as strict as those in the UK must apply measures equivalent to those required under UK law as far as possible. 

Adopt appropriate internal controls

The MLR 2017 provide that, where appropriate with regard to the size and nature of your business, you must: 

• appoint a person at the level of the board of directors, equivalent management body or 'senior management' to be responsible for compliance with the MLR 2017 (a person will meet the definition of senior management if they have sufficient knowledge of your firm's money laundering and terrorist financing risk exposure and sufficient authority to take decisions affecting your firm's risk exposure) 
• carry out screening of relevant employees prior to their appointment and during the course of their appointment 
• establish an independent audit function to examine, evaluate and make recommendations about the adequacy of your policies controls and procedures and monitor your firm's compliance with them 

The requirement to appoint an officer responsible for compliance with the MLR 2017 is additional to your obligation to appoint an MLRO and a COLP, though the same person can hold more than one of those roles. You will need to inform the SRA of the identity of your MLRO and your officer responsible for compliance with the MLR 2017 within 14 days of their appointment. 

You may already undertake some level of screening in relation to your staff, but you will need to ensure that this includes an assessment of their skills, knowledge and expertise to carry out their functions effectively and an assessment of their conduct and integrity. 

The MLR 2017 do not state that the independent audit function has to be external to your firm, but it should be independent of the specific function being reviewed. 

You must also establish and maintain systems that allow you to 'respond fully and rapidly' to enquiries from law enforcement about whether you’ve had a business relationship with a person in the last five years and the nature of that relationship (subject to any constraints arising from legal professional privilege). 

Provide training to staff

As with the MLR 2017, you will need to provide staff with appropriate training on money laundering and terrorist financing. This now includes an obligation to make staff aware of the law on data protection, where it’s relevant to the implementation of the MLR 2017. 

Apply for approval if you are the beneficial owner, officer or manager of a firm

The beneficial owners, officers or managers of your firm will have a year to apply to the SRA for approval, which must be granted unless they have been convicted of a relevant offence. Acting as a beneficial owner, officer or manager of a firm without approval after 26 June 2018 is a criminal offence (unless you have applied for approval and it has yet to be determined). You will also need to apply for SRA approval if you are a sole practitioner. 

We’ll provide further information about applying for approval once it’s available from the SRA. 

back to top

Comply with new customer due diligence, enhanced due diligence and simplified due diligence requirements

Customer due diligence (CDD) 

Under the MLR 2017 you are required to: 

• identify your client and verify their identity on the basis of a reliable independent source (such as a passport) 
• where applicable, identify the beneficial owners of the client, take reasonable measures to verify their identity so you know who they are and, if the beneficial owner is an entity or legal arrangement, take reasonable measures to understand its ownership and control structure 
• assess and where appropriate obtain information on the purpose and intended nature of the business relationship or transaction and 
• identify and verify the identity of a person who purports to act on behalf of a client and verify that they are authorised to act on behalf of the client 

How you comply with the requirement to take CDD measures may differ from case to case but must reflect both your firm's risk assessment and your assessment of the level of risk arising in the particular case. 

The MLR 2017 are more prescriptive than the 2007 regulations when it comes to carrying out CDD checks on corporate bodies. Where your client is a corporate body, you must obtain and verify: 

• its name 
• its company number or other registration and 
• the address of its registered office and, if different, its principal place of business. 
• In addition, unless the corporate body is a company listed on a regulated market, you must take reasonable measures to determine and verify: 
• the law to which it’s subject and its constitution or other governing documents and 
• the names of the board of directors (or equivalent management body) and the senior persons responsible for its operations 

Regulation 43(1) imposes an obligation on corporate bodies (other than companies listed on a regulated marker) to provide you with the information outlined above when you enter into a transaction or form a business relationship with them, which should assist you in carrying out your CDD checks. 

Enhanced due diligence (EDD) 

Regulation 33(1) sets out a list of circumstances in which EDD measures must be applied. It includes any transaction or business relationship involving:  

• a person established in a 'high risk third country' 
• any transaction or business relationship involving a 'politically exposed person' (PEP) or a family member or known associate of a PEP and  
• any other situation that presents a higher risk of money laundering or terrorist financing 

Regulation 33(6) sets out a list of factors that must be taken into account in assessing whether there is a higher risk of money laundering and terrorist financing present in a given situation and the extent of EDD measures that should be applied. While you must take these factors into account, you should consider the situation as a whole and bear in mind that the presence of one or more of the risk factors identified in 33(6) is not in and of itself determinative of a higher risk situation. 

Under the MLR 2017’s EDD measures must include, as a minimum: 

• examining the background and purpose of the transaction  
• increasing your monitoring of the business relationship 

Simplified due diligence (SDD) 

Simplified due diligence is permitted where you determine that the business relationship or transaction presents a low risk of money laundering or terrorist financing, taking into account your risk assessment. This is a change from the Money Laundering Regulations 2007, under which SDD was the default option for a defined list of entities. 

Regulation 37(3) sets out a list of factors to be taken into account in determining whether a situation poses a lower risk of money laundering or terrorist financing, such that SDD measures can be applied. However, you should be aware that the presence of one or more of the factors in 37(3) is not necessarily indicative that a given situation is low  

back to top

Comply with requirements relating to politically exposed persons

Politically exposed persons (PEPs) have been a focus for FATF and the EU in recent years due to growing concerns about them using their political positions to corruptly enrich themselves. 

Under the MLR 2017 you’re required to have appropriate risk management systems and procedures in place to determine whether a client, or the beneficial owner of a client, is PEP, or a family member of known close associate of a PEP. You will also need to have appropriate risk management systems and procedures in place to manage the enhanced risks arising from your relationship with the client. 

If you have a business relationship with a PEP or a family member or a known close associate of a PEP you must, as a minimum: 

• have senior management approval for establishing or continuing the business relationship 
• take adequate measures to establish source of wealth and source of funds involved in the business relationship or transaction 
• conduct enhanced ongoing monitoring of the business relationship 

A PEP is defined in regulation 35(12) and, unlike under the Money Laundering Regulations 2007, the definition includes UK PEPs.  

Make sure your record keeping and data protection systems, policies and procedures meet the requirements of the regulations

Under regulation 40 you must keep a copy of the documents and information you obtained to fulfil your CDD obligations. You must also have sufficient supporting records of the transaction for it to be reconstructed for a period of five years following the completion of the transaction or the end of the business relationship. At the end of the five-year period you must delete any personal data in those records unless: 

• you’re required to retain records containing person data under an enactment or for the purposes of court proceedings or you have reasonable grounds for believing the records need to be retained for legal proceedings or 
• you have the consent of the person whose data it is 
• Under regulation 41 you may not process personal data obtained for the purposes of the MLR 2017 for any other purpose unless it is permitted under an enactment or you have the consent of person whose data it is. In addition, you must provide new clients with: 
• the information specified in paragraph 2(3) of Part 2 of Schedule 1 to the Data Protection Act 1998 and 
• a statement that any personal data received from the client will only be processed for the purposes of the preventing money laundering or terrorist financing unless permitted by an enactment or unless they provide consent 

You should consider whether you need to update your client care letters and/or terms of business as a result of the MLR 2017. 

back to top

Comply with new obligations relating to record keeping and the provision of information about beneficial ownership if you act as a trustee of a relevant trust

Part 5 of the regulations imposes obligations on trustees of relevant trusts to: 

• maintain accurate and up-to-date written records of the beneficial owners and potential beneficiaries of the trust 
• inform a relevant person that you’re acting as a trustee and provide them with information on the beneficial owners and potential beneficiaries of a trust when you enter into a relevant transaction or business relationship and 
• provide certain information to HM Revenue and Customs, which will then be recorded on its beneficial ownership register  

For the purposes of part 5 of the regulations, a relevant trust is a UK express trust or an offshore express trust which is liable, even if only occasionally, to: 

• UK income tax  
• capital gains tax 
• inheritance tax  
• stamp duty land tax 
• land and buildings transaction tax  
• stamp duty reserve tax because the trust’s assets or income include some UK source income or UK assets 

back to top