Your firm’s anti-money…
Rebecca Atkinson suggests some practical steps you can take to approach your firm’s anti-money laundering risk assessment.
The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) came into force in June 2017.
Our quick guide gives you an overview of the key issues firms need to be aware of as a result of the transposition of the Fourth EU Money Laundering Directive.
The Legal Sector Affinity Group, which represents the legal sector AML supervisors and includes the Law Society and the Solicitors Regulation Authority (SRA), has developed the anti-money laundering (AML) guidance for the legal sector. This Treasury-approved guidance provides more detail about the MLR 2017 and what is expected of firms, and should be read with this quick guide.
The MLR 2017 will be amended again in January 2020 as the Fifth Money Laundering Directive is transposed. We’ll be publishing additional resources, including revised guidance, to help you and your firm comply.
The MLR 2017 sets out the additional obligations of private sector firms working in areas of higher money laundering risk.
They aim to stop criminals using professional services to launder money by requiring professionals to take a risk-based approach. Firms must put measures in place to identify their clients and monitor how they use their services.
The MLR 2017 applies to independent legal professionals. An independent legal professional is a firm or a sole practitioner who:
The MLR 2017 does not apply to:
The MLR 2017 does not apply to:
You should get legal advice if you are not certain whether the MLR 2017 apply to your work. Alternatively, you may wish to follow the MLR 2017 even if you are not performing regulated work.
You need to consider whether you offer services which make you a:
See regulations 11(d) and 12(2) for definitions of these roles.
Under regulation 18 you must carry out a written risk assessment to identify and assess the risk of money laundering and terrorist financing that your firm faces. This will:
When you carry out your risk assessment you must take into account information on money laundering and terrorist financing risks made available to you by the Law Society and/or the SRA, and risk factors relating to:
Things you should consider include, but are not limited to:
Your risk assessment should also consider the steps you have taken to mitigate the risks of money laundering and terrorist financing that your firm faces.
You must establish and maintain written policies, controls and procedures to manage and mitigate the money laundering and terrorist financing risks identified in your risk assessment. These must be:
Your policies controls and procedures must cover:
Your systems, policies, procedures and controls should be risk-based, which means that you should focus your resources on the areas that present the greatest threat of money laundering and terrorist financing. A risk-based approach will allow you to:
If your firm is part of a wider group structure, you will need to ensure that your policies, controls and procedures apply to:
Your subsidiaries or branches located in EEA states must follow the national law implementing the Fourth Directive, while those located in states outside the UK that do not have anti-money laundering and terrorist financing law as strict as those in the UK must apply measures equivalent to those required under UK law as far as possible.
The MLR 2017 provide that, where appropriate with regard to the size and nature of your business, you must:
The requirement to appoint an officer responsible for compliance with the MLR 2017 is additional to your obligation to appoint an MLRO and a COLP, though the same person can hold more than one of those roles. You will need to inform the SRA of the identity of your MLRO and your officer responsible for compliance with the MLR 2017 within 14 days of their appointment.
You may already undertake some level of screening in relation to your staff, but you will need to ensure that this includes an assessment of their skills, knowledge and expertise to carry out their functions effectively and an assessment of their conduct and integrity.
The MLR 2017 do not state that the independent audit function has to be external to your firm, but it should be independent of the specific function being reviewed.
You must also establish and maintain systems that allow you to 'respond fully and rapidly' to enquiries from law enforcement about whether you’ve had a business relationship with a person in the last five years and the nature of that relationship (subject to any constraints arising from legal professional privilege).
As with the MLR 2017, you will need to provide staff with appropriate training on money laundering and terrorist financing. This now includes an obligation to make staff aware of the law on data protection, where it’s relevant to the implementation of the MLR 2017.
The beneficial owners, officers or managers of your firm will have a year to apply to the SRA for approval, which must be granted unless they have been convicted of a relevant offence. Acting as a beneficial owner, officer or manager of a firm without approval after 26 June 2018 is a criminal offence (unless you have applied for approval and it has yet to be determined). You will also need to apply for SRA approval if you are a sole practitioner.
We’ll provide further information about applying for approval once it’s available from the SRA.
Under the MLR 2017 you are required to:
How you comply with the requirement to take CDD measures may differ from case to case but must reflect both your firm's risk assessment and your assessment of the level of risk arising in the particular case.
The MLR 2017 are more prescriptive than the 2007 regulations when it comes to carrying out CDD checks on corporate bodies. Where your client is a corporate body, you must obtain and verify:
Regulation 43(1) imposes an obligation on corporate bodies (other than companies listed on a regulated marker) to provide you with the information outlined above when you enter into a transaction or form a business relationship with them, which should assist you in carrying out your CDD checks.
Regulation 33(1) sets out a list of circumstances in which EDD measures must be applied. It includes any transaction or business relationship involving:
Regulation 33(6) sets out a list of factors that must be taken into account in assessing whether there is a higher risk of money laundering and terrorist financing present in a given situation and the extent of EDD measures that should be applied. While you must take these factors into account, you should consider the situation as a whole and bear in mind that the presence of one or more of the risk factors identified in 33(6) is not in and of itself determinative of a higher risk situation.
Under the MLR 2017’s EDD measures must include, as a minimum:
Simplified due diligence is permitted where you determine that the business relationship or transaction presents a low risk of money laundering or terrorist financing, taking into account your risk assessment. This is a change from the Money Laundering Regulations 2007, under which SDD was the default option for a defined list of entities.
Regulation 37(3) sets out a list of factors to be taken into account in determining whether a situation poses a lower risk of money laundering or terrorist financing, such that SDD measures can be applied. However, you should be aware that the presence of one or more of the factors in 37(3) is not necessarily indicative that a given situation is low
Politically exposed persons (PEPs) have been a focus for FATF and the EU in recent years due to growing concerns about them using their political positions to corruptly enrich themselves.
Under the MLR 2017 you’re required to have appropriate risk management systems and procedures in place to determine whether a client, or the beneficial owner of a client, is PEP, or a family member of known close associate of a PEP. You will also need to have appropriate risk management systems and procedures in place to manage the enhanced risks arising from your relationship with the client.
If you have a business relationship with a PEP or a family member or a known close associate of a PEP you must, as a minimum:
A PEP is defined in regulation 35(12) and, unlike under the Money Laundering Regulations 2007, the definition includes UK PEPs.
Under regulation 40 you must keep a copy of the documents and information you obtained to fulfil your CDD obligations. You must also have sufficient supporting records of the transaction for it to be reconstructed for a period of five years following the completion of the transaction or the end of the business relationship. At the end of the five-year period you must delete any personal data in those records unless:
You should consider whether you need to update your client care letters and/or terms of business as a result of the MLR 2017.
Part 5 of the regulations imposes obligations on trustees of relevant trusts to:
For the purposes of part 5 of the regulations, a relevant trust is a UK express trust or an offshore express trust which is liable, even if only occasionally, to:
While every effort has been made to ensure the accuracy of the information in this article, it does not constitute legal advice and cannot be relied upon as such. The Law Society does not accept any responsibility for liabilities arising as a result of reliance upon the information given.
Call the Practice Advice Service on 020 7320 5675 or email email@example.com.
The Practice Advice Service is staffed Monday to Friday from 9am to 5pm.