The UK is amending its requirements as to customer due diligence (and related matters) in the context of antimoney-laundering and counter-financing of terrorism. There are significant implications for all businesses in the regulated sector, and firms will need to review their policies and procedures to ensure continuing compliance. The Government has published the full draft text of the new UK legislation, and the revised rules are now being finalized and readied for enactment, alongside certain supervisory and market guidelines. The effective date is currently proposed to be June 26, 2017, but it is possible that this could be delayed given that the UK Parliament has been dissolved until after the general election. With possibly just a month left to prepare for the new regime, this update highlights the key issues for financial services firms, and suggests action points for their implementation plans. New Requirements in Brief • Firms must prepare risk assessments, with reference to a broader money laundering and terrorist financing risk assessment to be published by the Government and information provided to firms for this purpose by the Financial Conduct Authority (FCA), and embed them as the foundations of their internal policies and procedures. • Where appropriate, firms need to appoint an officer at board level to be responsible for compliance with customer due diligence (CDD) requirements, set up a CDD audit function and screen employees for ability and integrity as regards CDD compliance. • The rules as to group-wide application of UK-standard CDD measures are extended, with new requirements to exchange information within the group, and new enforcement powers available to the authorities where they consider the group’s CDD measures in a country outside of the European Economic Area (EEA) do not effectively address money laundering and terrorist financing risks. • The provisions on CDD, beneficial ownership, simplified due diligence, enhanced due diligence, correspondent relationships and politically-exposed persons are all substantially modified, reflecting an ever-stronger focus on the requirement to take a risk-sensitive approach. SIDLEY UPDATE Page 2 • In contrast to the current regulations, the draft regulations list the various administrative sanctions and measures available to the FCA for failures to comply, including fines, the suspension and cancellation of a firm’s authorization, imposition of limitations and restrictions on regulated activities, as well as temporary or permanent bans against persons with managerial responsibilities found to be responsible for firm failures, from exercising managerial functions in regulated firms. Background The new UK legislation is known as the Money Laundering and Transfer of Funds (Information on the Payer) Regulations 2017 (the New Regulations). The New Regulations repeal and replace the Money Laundering Regulations 2007 (2007 Regulations) and the Transfer of Funds Regulations 2007. The New Regulations implement in the UK the EU’s Fourth Money Laundering Directive (MLD4). MLD4 was finalized in June 2015, and is required to be transposed into domestic law by all Member States no later than June 26, 2017. The New Regulations also make provision with regard to the EU’s Funds Transfer Regulation, which has direct effect in the UK (as in all other Member States), but is supplemented in certain respects by the New Regulations. The New Regulations focus on CDD and related requirements, and comprise one element of a set of measures aimed at preventing money laundering and the financing of terrorism (ML/FT) in the UK. The New Regulations do not change other aspects of the UK’s anti-money laundering and counter-terrorist financing regime. In particular, the various general criminal offences as regards ML/FT (under the Proceeds of Crime Act 2002 and the Terrorism Act 2000) remain in force, unamended. However, further changes are being made to the law on ML/FT, at both EU and UK level – see the “In the Pipeline” box below. Scope and General Principles: No Change to Fundamentals The New Regulations apply to “credit institutions” and “financial institutions” (as well as to certain other types of entity). Those terms are defined exactly as in the 2007 Regulations and cover, amongst others, banks, custodians, investment service firms, investment managers, insurance companies, loan and mortgage companies, money service businesses and e-money issuers. The general scheme of the CDD rules also remains unchanged, such that, as under the 2007 Regulations: • Firms must conduct CDD if they establish a business relationship or carry out an occasional transaction. • In prescribed circumstances, firms must refresh their CDD in respect of existing customers. • CDD must be conducted on a risk-sensitive basis and, where appropriate, this will allow the application of simplified due diligence or require enhanced due diligence. • In certain circumstances, firms may rely on CDD that has already been conducted by a third party. • Firms must monitor client transactions on an on-going basis. SIDLEY UPDATE Page 3 • There are requirements as to documentation, systems and procedures (including record-keeping) and training. • The FCA supervises all banks and the majority of financial institutions in respect of their compliance with the CDD requirements. Risk Assessments There are requirements for a new three-tier system of risk assessments: • The Government must assess and report on ML/FT risks at the UK level (by June 26, 2018), and must identify areas of higher/lower risk and include guidance on when and how firms must apply enhanced due diligence. • Each supervisory authority (e.g., the FCA) must assess risks facing its specific regulated sector and must also prepare risk profiles for individual firms or clusters of firms. • Each firm must assess risks facing its business taking into account risk factors relating to its customers, geographic areas of operation, products and services, transactions and delivery channels. Action: Typically, firms will have already undertaken an internal risk assessment with respect to their existing policies and procedures implementing the 2007 Regulations. However, firms will likely need to revisit their assessments in light of the new three-tier regime, to reflect the Government risk assessment (when available), any information provided to firms by the FCA regarding its risk assessment and the risk factors detailed in the New Regulations (to the extent they are not already addressed under existing risk assessments). Responsible Officer and Audit Function If appropriate, having regard to the size and nature of its business (as to which, see below), a firm must take the following steps: • Appoint a person at board level (or equivalent) to be responsible for the firm’s compliance with the New Regulations. This obligation is in addition to (i) the current requirement to appoint a nominated officer to receive and submit suspicious activity reports; and (ii) the FCA’s requirement to appoint a money laundering reporting officer (although, all of these roles may be performed by the same person). • Establish an independent audit function to monitor compliance with the New Regulations. In determining, for this purpose, what is appropriate with regard to the size and nature of its business, the New Regulations provide that a firm must take into account its internal risk assessment and may take into account any guidance issued by its supervisory authority or by any other relevant regulator or trade association. Action: An essential early step in a firm’s implementation plan for the new regime will be to consider whether it needs to make these appointments (i.e., whether they are appropriate in the context of its business). A firm that already has responsibility allocated at board level, and has a CDD audit function, will need to confirm that those existing arrangements also satisfy the detailed requirements of the New Regulations. SIDLEY UPDATE Page 4 Screening Employees As appropriate with regard to the size and nature of its business, a firm must screen relevant employees and agents, before appointment and at regular intervals thereafter, to assess their skills, knowledge, capability, conduct and integrity as regards CDD compliance. On the face of the New Regulations, this requirement is potentially very broad, covering: • Anyone who is relevant to the firm’s compliance with the New Regulations. • Anyone who is otherwise capable of contributing to the identification or mitigation of relevant risks or to the detection or prevention of ML/FT as regards the firm’s business. Action: The key, for firms where employee screening is considered appropriate, will be to determine clear parameters for identifying relevant staff and agents and to set straightforward criteria for assessing the specified characteristics – all on a risk-sensitive basis. New Approval Requirements for Money Service Business Agents In addition to the internal employee screening requirements, the agents of money service businesses (MSBs) that are currently registered with Her Majesty’s Revenue and Customs (HMRC) under the 2007 Regulations will also be subject to a “fit and proper” test to be conducted by HMRC. At present HMRC’s assessment is limited to just the MSB principals, their beneficial owners and persons who direct the MSB’s business. MSBs may also have to submit their ML/FT risk assessments and policies to HMRC for purposes of their registration under the New Regulations. Action: MSBs should ensure a timely response to any information requests received from HMRC. As currently drafted, the New Regulations suggest that MSBs may be removed from HMRC’s register if they fail to provide the requested information within 12 months of the New Regulations coming into force. Application of Parent’s Policies and Procedures Group-Wide Under the 2007 Regulations, firms must ensure that their subsidiaries and branches outside the EEA apply CDD measures at least equivalent to UK standards. This requirement is extended and amended under the New Regulations, so that parent firms must ensure that their UK policies and procedures are applied by all their subsidiaries and branches, wherever they are located. Accordingly, this requirement now includes subsidiaries and branches within the EEA (as well as those in nonEEA countries). In the case of EEA subsidiaries and branches, the parent firm must also ensure that they comply with the domestic rules that implement MLD4 in the relevant EEA Member State. As under the 2007 Regulations, the New Regulations acknowledge that it may not be legally possible to impose UK-standard requirements in other jurisdictions, and thus, allow for firms to apply alternative measures where this is the case. However, the New Regulations also introduce a new power in this regard: SIDLEY UPDATE Page 5 • Where the parent firm is an authorized person under the Financial Services and Markets Act 2000 (and, in certain cases, where the parent firm itself is not so authorized, but other specified conditions are satisfied), the FCA must determine whether the alternative measures applied in the relevant jurisdiction are sufficient. • If they are not, the FCA must consider whether to direct the parent firm to take other action in that jurisdiction, which could include terminating existing business relationships, ceasing certain types of business or closing its operations entirely. In addition, parent firms are now required to establish, throughout the group, policies and procedures for sharing information within the group for the purposes of preventing ML/FT (subject to any data protection restrictions). Action: This could be a significant burden for firms not already taking a unified approach globally. The starting points will include identifying relevant group entities, and assessing any similar policies and procedures currently in place locally. It will be particularly important to focus on any jurisdictions where it is not legally possible to apply UK-standard requirements as well as to ensure effective alternative measures are in place, in light of the new intervention powers introduced by the New Regulations. Reliance Under the 2007 Regulations, firms may rely on certain other specified persons (e.g., other financial institutions regulated within the EEA or third countries with equivalent ML/FT standards) to apply any or all of the CDD measures. The provisions relating to reliance are retained under the New Regulations and the range of persons upon which a firm may rely is extended to include, inter alia, MSBs, payment institutions and electronic money institutions, which are precluded from reliance under the 2007 Regulations. Certain procedural requirements as regards to reliance are waived in cases where a group applies CDD measures to MLD4 standards (or equivalent) across the group and is supervised at group level by an EEA supervisory authority (or equivalent), and one member of the group relies on CDD conducted by another. However, it remains the case that the relying firm retains liability for any non-compliance with the CDD requirements. Consequently, we would not expect these changes to lead to any significant increase in the use of the reliance option. Customer Due Diligence As under the 2007 Regulations, firms are required to take a risk-based approach to CDD under the New Regulations. This means that the extent of CDD that firms conduct will depend on the level of financial crime risk the relevant customer, business relationship, product or transaction is assessed as presenting to the firm. However, there is an even greater focus under the New Regulations on the principle of a risk-based approach to CDD and on the duty to reflect that in everything the firm does. We highlight below specific changes as regards CDD, beneficial ownership, simplified due diligence, enhanced due diligence, correspondent banking and politically exposed persons. SIDLEY UPDATE Page 6 CDD Generally Existing customers Under the 2007 Regulations, firms are required to conduct CDD against existing customers where firms suspect ML/FT or doubt the veracity or adequacy of documents, data or information previously obtained for CDD purposes. The New Regulations provide a new, non-exhaustive list of scenarios in which a firm must conduct CDD on existing customers. These are where there is: • An indication that the identity of the customer, or of a beneficial owner, has changed. • A transaction that is not reasonably consistent with the firm’s knowledge of the customer. • A change in the purpose and intended nature of the firm’s relationship with the customer. • Any other matter that might affect the firm’s assessment of the ML/FT risk. Customer representatives There is also a new requirement to conduct an identity check on any person who “purports to act on behalf of the customer,” and to verify that he or she is authorized in that regard. The good practice Guidelines published by the Joint Money Laundering Steering Group already recommend that firms “take appropriate steps to be reasonably satisfied that the person they are dealing with is properly authorized by the customer,” but the new legal obligation under the Regulations is potentially more onerous. In principle, this could be a burdensome requirement, particularly where there may be several of the customer’s personnel interacting with the firm. However, one approach, where relevant, could be to construe this as a requirement to verify the identity and authority only of the person who acts for the customer in signing the initial contract or terms of engagement with the firm, as opposed to all of the other staff who deal with the firm in the day-to-day course of the relationship. Beneficial ownership The New Regulations expand on the requirement under the 2007 Regulation to verify (on a risk-sensitive basis) the identity of a customer’s beneficial owners by providing for a more detailed definition of “beneficial owner” and introducing various technical changes regarding verification of beneficial ownership, including the following: • When assessing who may be the beneficial owner of a trust, there is no longer any prescribed level of interest (such as the current 25 percent threshold) below which a person is presumed not to have the requisite degree of control or influence, so the range of potential beneficial owners is potentially broader. • There is a direct obligation on UK body corporates, UK trusts and certain non-UK trusts to provide firms with information as to beneficial ownership, within two working days of the firm’s request and to notify the firm of any changes (and UK corporates must also provide other identity information). SIDLEY UPDATE Page 7 • Although information on beneficial ownership of UK corporates should now be available from Companies House (the UK registrar for relevant UK entities), the Regulations state that a firm does not satisfy the CDD requirements on beneficial ownership simply by obtaining that information from Companies House. • If it proves impossible to ascertain details of beneficial ownership, a firm may treat the customer’s senior manager as its beneficial owner. Simplified Due Diligence (SDD) No automatic SDD The CDD regime under the 2007 Regulations provides for SDD, which means that, in certain specified low-risk situations (e.g., when a customer is a listed company on a recognized stock exchange), firms do not need to perform CDD with respect to the customer or its beneficial owner(s). The New Regulations make no provision for the automatic application of SDD, whether by reference to the characteristics of the customer or on any other basis. Instead, firms will have to assess every arrangement individually, on a risk-sensitive basis, to determine the appropriate due diligence measures to be taken. Reference factors and guidelines There is a list of factors to be considered in making this determination (some of which correspond to the scenarios in which, currently, SDD automatically applies). Firms are also required to refer, for this purpose, to guidelines to be published by the Joint Committee of the European Supervisory Authorities (ESA). The guidelines have not yet been finalized but, in draft, are extensive and detailed (though expressly nonexhaustive). SDD requires verification of identity Under the New Regulations, firms will have to conduct checks and verification when applying SDD (except where the customer is listed on a regulated market, where it is not necessary to identify any beneficial owner), but they are entitled to “adjust the extent of the measures” that they apply in such cases. Enhanced Due Diligence (EDD) Generally The 2007 Regulations specify a number of scenarios in which firms must conduct EDD, which means that, in specified high-risk situations, firms must take extra measures or steps in addition to their normal CDD measures. These include situations where a client has not been physically present for identification purposes; transactions involving politically exposed persons; correspondent banking relationships with institutions outside of the EEA; and any other situation that by its nature can present higher ML/FT risks. The New Regulations retain the requirement for EDD, but expand the number of scenarios in which EDD may be required, and also include a lengthy and detailed – but expressly non-exhaustive – list of the factors to be considered in assessing whether there is a high risk of ML/FT and in determining the appropriate measures to be applied. SIDLEY UPDATE Page 8 The New Regulations list measures that must be taken when a firm conducts EDD, and other steps that may be appropriate. In determining the appropriate scope of its EDD in any case, a firm must also refer to the ESA guidelines. Correspondent relationship The requirement to conduct EDD in connection with any correspondent relationship continues. However: • The obligation is extended to apply also with regard to financial institutions (where it applies currently only to credit institutions). • For the first time, there is a definition of “correspondent relationship”, clarifying that it includes arrangements relating to current or other accounts, cash management, funds transfers, cheque clearing, providing direct access to a correspondent’s or respondent’s accounts, foreign exchange services and securities transactions. Politically exposed persons (PEPs) As under the current rules, PEPs are subject to EDD but: • There are new provisions on establishing procedures for identifying whether a person is a PEP, and on assessing risk and determining the appropriate level of EDD. • The definition of PEP now includes members of political parties’ governing bodies, and UK individuals within any of the listed categories. • The FCA will issue guidance on identifying PEPs and conducting EDD on them (which was published in draft in March 2017). • Generally, there is a strong emphasis on the need to apply EDD in a risk-sensitive manner to PEPs – for example, the FCA’s draft guidance suggests that PEPs from certain jurisdictions (including the UK) may typically be subject to lesser requirements than those from elsewhere. Action: All of the many changes as regards to CDD, beneficial ownership, SDD, EDD, correspondent relationships and PEPs will necessitate significant changes to systems and procedures manuals. In many cases, these are not simply drafting issues, but matters that will require consideration, at a senior level, to agree on policy positions and to determine the appropriate risk-based approach for the firm to take. This will need to be followed by a programme to publicise the changes and to train relevant staff. Next Steps Although the New Regulations will soon become operative, firms may still have a considerable amount of work to do in preparing for the new CDD regime. There may be assessments to be made and decisions to be taken at a senior level; detailed changes to be implemented at a technical level in compliance manuals, systems, checklists and forms; and education and training to be rolled out across all relevant staff and agents. Even though the New Regulations and the related guidance materials have not yet been finalized, all are in sufficiently advanced draft form that the key elements of the new regime are clear. Indeed, with just a month or SIDLEY UPDATE Page 9 so to go until the changes take effect, firms should move on with their implementation programmes before the final versions are published. Given that further reforms are expected with regard to ML/FT and CDD in the near future (see “In the Pipeline”), firms may wish – to the extent possible – to try to anticipate those changes in their policies and procedures at the same time as updating them for the New Regulations. In the Pipeline Implementation of the New Regulations is only one part of an on-going reform programme as regards ML/FT and CDD. Further upcoming changes include the following. • The EU’s Fifth Money Laundering Directive (MLD5) will modify MLD4. MLD5 is likely to be finalized later this year. Its key features include: o extension of the CDD regime to include virtual currency exchange platforms and custodian wallet providers. o further amendments regarding EDD. o measures relating to anonymous prepaid payment instruments. o new centralized mechanisms in each Member State to identify holders and controllers of bank and other accounts. o new powers for the authorities to obtain ML/FT information from firms. o broader access to information on beneficial ownership of corporate entities and trusts and similar arrangements. • The UK’s Criminal Finances Act 2017 introduces reforms to the regime for suspicious activity reports (including provision for the moratorium period to be extended up to a maximum of 186 days), and facilitates the sharing of relevant ML/FT information amongst firms. The key aspects of the Act are expected to come into force this September.