Speed Read: Public consultation on the proposed new draft Money Laundering Regulations 2017 (“MLR 2017”) closed on 12 April 2017. The government must now move swiftly with any amendments if it is to achieve compliance with the deadline of 26 June 2017 for the transposition of the EU Fourth Money Laundering Directive (“4MLD”) into UK law. With time marching on, of critical importance to the regulated sector is the extent to which the final version of the MLR 2017 actually increase Customer Due Diligence (“CDD”) requirements. Against this background, three key matters are ripe for examination: the reach of the new CDD provisions in the MLR 2017, the major changes to managing and responding to money laundering risk, and capacity for record sharing.
1. The reach of the MLR 2017
Who is in and who is out?
On 26 June 2017, the MLR 2017 will replace the existing anti-money laundering (“AML”) compliance framework appearing in the Money Laundering Regulations 2007 (“MLR 2007”). Parts 2 and 3 of the MLR 2017 address AML risk assessment and controls and CDD duties respectively. Compared to the MLR 2007, the provisions are markedly more comprehensive. As for those caught by Parts 2 and 3, the list remains, save for one technical addition relating to auction platforms captured by the EU emissions auctioning regulations (Commission Regulation (EU) No 1031/2010), unchanged from the list appearing in the MLR 2007. Application remains capped at credit and financial institutions, auditors, insolvency practitioners, external accountants and tax advisers, independent legal professionals, trust and company service providers, estate agents, high value dealers and casinos.
Letting agents and online gaming
For many, this comes as a surprise. In its 2016 consultation on the proposed transposition of 4MLD, the UK government toyed with the idea of expanding the ambit of the regulated sector beyond the conventional gatekeepers, to include letting agents and online gaming providers. Neither, however, made their way into the draft MLR 2017.
However, the collective sigh of relief from the industries affected could be short-lived. The Home Office noted in its consultation report published March 2017 that although it considered that letting was an ineffective way of laundering money as lettings, unlike real estate or other goods, are not a lasting “store” of value, it was aware of an intelligence gap in the lettings sector. Consequently, it will seek further evidence on money laundering risk in the estate agent and lettings sector and will report back by year end. As for online gaming providers, the draft MLR 2017 recognise that the government must make arrangements before 26 June 2018 for a national money laundering risk assessment which expressly includes consideration whether “providers of gambling services other than casinos should continue to be excluded” from the regulations (see draft Regulation 16).
Further, whilst the general category of firm or person subject to the regulations and particularly the AML requirements, remains unchanged, a wider net will be cast. Under the MLR 2007, a regulated person was exempt from compliance with provisions relating to CDD where their total annual turnover in respect of the regulated activity did not exceed £64,000. Under MLR 2017, this is set to increase to £100,000. The definition of high value dealers, such as jewellery, art and other luxury goods dealers, also previously hinged on a transaction totalling at least 15,000 euros. Come 26 June 2017, this will fall to 10,000 euros. The post-Brexit fluctuating rate of sterling could accordingly make all the difference to the AML compliance burden arising in a particular customer relationship.
New requirements for estate agents
Beyond this, estate agents will see their CDD burden increase if the present proposal in the MLR 2017 requiring them to undertake AML checks on both the property seller and purchaser is maintained. Draft Regulation 4 of MLR 2017 proposes that “an estate agent is to be treated as entering into a business relationship with a purchaser as well as a seller”. This holds implications as fundamental to AML compliance is the performance of appropriate CDD proportionate to the money laundering risk on all persons with whom a regulated person enters a business relationship. Failure to do so exposes a regulated person to criminal liability.
Accordingly, estate agents have been singled out for compliance with a higher bar. Although this may be a proportionate measure directed at stemming the laundering of money through the UK property market, the need for clarity is self-evident. When, for instance, does a business relationship in the context of a potential property purchase commence? To avoid ambiguity, there is a case for identifying it at the point of offer and acceptance of a contract of sale. The new definition of “business relationship” in the context of estate agents to encompass both sides of a property transaction is also vulnerable to criticism when considered that, by its very definition, an estate agent is in an agency relationship with a particular purchaser or vendor to whom he owes professional duties, and not both.
Both sides – a precedent?
Looking ahead, if the “checking both sides” requirement is maintained in relation estate agents, the question arises as to whether precedent has been set for expanding the CDD requirements applicable to other types of regulated persons in a similar fashion in due course. If this is on the horizon, a comprehensive cost / benefit analysis of increasing compliance duties of the kind undertaken by other countries contemplating AML regime expansion, would be worthwhile.
2. Risk management
The striking difference between the MLR 2017 and MLR 2007 is the more pronounced emphasis on tailored risk management and controls and case-specific CDD, backed by criminal sanction. Although exposure to criminal liability for breach of the money laundering regulations is nothing new, the provisions in the MLR 2017 pertaining to policies and CDD are markedly more comprehensive. Simplistically, this is illustrated by the ten-fold increase in the use of the word “risk” in the MLR 2017 compared to the MLR 2007.
Policies and procedures
What, however, does this actually mean in practice for AML compliance? Fundamentally, MLR 2017 imposes a wider positive requirement for regulated firms to perform an assessment of money laundering risk which is specific to their firm, accounting for factors including customers, products, geography and delivery channels. Reference to the latter suggests that firms must look beyond their own practices and to their suppliers, contractors, intermediaries and business partners when assessing money laundering risk. The MLR 2017 require regulated firms to implement controls and procedures proportionate to the nature and size of the business and to continue to monitor, develop and, if required, enhance such policies and controls over time.
Beyond this, the enactment of the MLR 2017 will see a new duty imposed on corporate groups to develop, implement and maintain group-wide policies, applicable to subsidiaries outside of the UK and even in non-EEA third countries unless a supervisory authority has been informed of a legal impediment (draft Regulation 20). The compliance burden however is not lessened in the event of the latter. From 26 June 2017, where a legal impediment arises in a third country, a regulated parent company will be obliged to take additional measures equivalent to those required by the MLR 2017 and implement them in the third country (draft Regulation 20(4)). There is, accordingly, a positive duty on a parent company to ensure that AML policies and procedures imposed on subsidiaries anywhere in the world are as equally rigorous as those applying to UK subsidiaries.
The MLR 2017 also impose several positive requirements in relation to internal processes, with regulated firms set to be required to establish an independent MLR 2017 compliance audit function, appoint a Board member or member of management to be responsible for compliance and continually screen, train and monitor all employees relevant to the compliance function (see draft Regulations 21 – 24).
It follows that the overarching theme of the MLR 2017 is risk management, oversight and monitoring, notwithstanding geographical bounds. On one view, this only formalises in the statute books what many prudent firms doing business in the UK are already doing. For others, however, the advent of the MLR 2017 presents an opportunity to take stock of existing practices and procedures.
Risk factors and CDD
In regards to CDD, what the MLR 2017 provide is more clarity over fundamental requirements that regulated firms have long been adhering to. Under the MLR 2017, “identify and verify” remains the bedrock of CDD and the timing of the necessary verification will broadly remain the same as that in MLR 2007. However, in practice the appropriate level of CDD to be deployed can be difficult to discern. To assist, the MLR 2017 lists various non-exhaustive indicators for when enhanced CDD will be required. These include where a transaction is unusually complex, where there is a nexus with a high-risk country and other geographical circumstances, where the customer has a cash-intensive business or where the customer is a legal structure. It also encourages regulated firms to look to credible sources and reports, such as mutual evaluation reports, Financial Action Task Force and International Monetary Fund reports, if in doubt over whether a geographical nexus should trigger warning bells.
In keeping with the theme of case-specific risk management, the MLR 2017 also expand the scope to undertake simplified CDD. Under MLR 2007, simplified CDD may only be undertaken where a customer or product falls into a rigid category. By contrast, the MLR 2017 create more flexibility by enabling a regulated person to apply simplified CDD where, having assessed a specific case by reference to a range of risk factors, it considers the money laundering risk to be low. In other words, the approach is fundamentally risk-based rather than category-based. Certainly, the greater flexibility will assist the regulated sector.
3. Record sharing with third parties
Finally, the ability to rely on CDD performed by a third party is set to be maintained in the MLR 2017. However, it ought to come as no surprise that in line with the position in the MLR 2007, reliance does not remove liability for CDD failure. The duty to undertake appropriate CDD proportionate to the risk of money laundering is non-delegable.
Any CDD record sharing will also be subject to a clearer framework. When the MLR 2017 enters in to force, in order to rely on CDD performed by third parties a written agreement will have to first be entered into with the third party in relation to CDD sharing (see draft Regulation 38). At the minimum, the proposed written agreement must enable the relevant person to obtain copies of identification and verification data relating to a customer or its beneficial owner from the third party immediately on request, or at least within two days, and require the third party to keep copies of its records for five years (when read in conjunction with draft Regulation 39).
However, going forward, it will be interesting to see whether CDD record sharing agreements between members of the regulated sector will entail more in practice. Specifically, the question arises as to whether more substantial agreements or detailed terms of understanding relating to information or record sharing more generally might eventuate. There is a potential for this when it is considered that passage of the Criminal Finances Bill 2016 will introduce a new regime promoting cooperation within the regulated sector in relation to money laundering. On request by another regulated firm, a regulated firm will be permitted to share information with the regulated firm if “it will or may assist in determining any matter in connection with a suspicion that a person is engaged in money laundering” (new proposed new section 339ZB of the Proceeds of Crime Act 2002 appearing in the Criminal Finances Bill 2016). The time for providing the information is set to be 28 days. Accordingly, when it comes to money laundering, there is a wider legislative steer in favour of encouraging cooperation within the regulated sector.