Speed Read: With the Criminal Finances Act 2017 and the Money Laundering Regulations 2017 having come into force in April and June 2017 respectively, Natasha Reurts assesses the developments and distils the key points arising from the UK’s second comprehensive National Risk Assessment and recent draft guidance on the Regulations which will be helpful to firms and businesses.

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLR 2017”) came into force on 26 June 2017, nearly four months ago. The Criminal Finances Act 2017 (“CFA 2017”) received royal asset on 27 April 2017, six months ago. Although parts of the CFA 2017 are yet to commence (e.g. the unexplained wealth order regime), guidance on aspects of both the MLR 2017 and CFA 2017 have been issued by both government authorities and industry stakeholders. Below is an analysis of the Law Society’s recently published draft guidance on the MLR 2017 and the UK’s second National Risk Assessment report, drawing out the key points for business and the legal sector.

UK National Risk Assessment

On 26 October 2017, HM Treasury and the Home Office released the second comprehensive assessment of the money laundering and terrorist financing risk in the UK. Although the previous national risk assessment, released in October 2015, will still be informative in formulating a risk assessment, business should take note of the updated version to incorporate into their anti-money laundering policies.

The 2017 national risk assessment, which builds upon the 2015 national risk assessment, is the product of consultation across all aspects of government, law enforcement authorities and the private sector. It reflects consideration of the EU supranational risk assessment and other public reports which consider the assessment of money laundering and terrorist financing risks.

The 2017 national risk assessment makes several key findings. First, that “high end money laundering and cash-based money laundering”[1] remain the greatest areas of risk facing the UK. Moreover, that new money laundering typologies continue to emerge, including through exploitative use of new technologies. The assessment confirms the money laundering vulnerability faced by professional services. Although the finding re-asserts the 2015 assessment of intelligence gaps, the report notes that a “better understanding”[2] has ensued in relation to specific services and professionals at greater risk of abuse by persons seek to legitimize illicit gains. Third, the assessment notes that cash and cash intensive sectors, such as retail banking or money service businesses, are still the favoured modus operandi money laundering in and out of the UK. Lastly, it notes that although a raft of legal mechanisms have been put in place by government and law enforcement to tackle money laundering, it is still early days.

The national risk assessment identifies the risk posed to various industries, including, amongst others, financial services and technologies, accountancy, legal services and property and estate agencies. In this respect, it will be necessary for firms working within these sectors to have regard to it when preparing, as required by the MLR 2017, their firm wide risk assessment.

There are a few interesting points to note. First, with respect to financial technologies the national risk assessment addresses the money laundering risk for digital (or virtual) currencies head on. This is a topic that has generated a considerable amount of attention within the compliance and money laundering circles. The assessment notes the NCA’s previous assessment of virtual currencies use for money laundering purposes as relatively low – and the lack of evidence showing their use to launder large amounts of money. However, the risk assessment does state that as between May 2016 and July 2017, 1,584 SARs were submitted referring to digital currencies. The number of reports referring to digital currencies has increased month-on-month. The assessment also puts industry on notice in stating that further regulation in the area of ‘wallet’ providers is expected in the EU Fifth Anti-Money Laundering Directive. The conclusion of the risk assessment; that the money laundering risk is expected to grow as digital currencies become a more “viable and popular payment method.”[3] In relation to gambling (all gambling providers are now caught by MLR 2017), the risk assessment of ‘low’ has been maintained in the 2017 national risk assessment; the finding being that there is a lack of evidence which suggests the use of the gambling sector for money laundering on a significant scale.

With respect to the accountancy sector, the 2015 national risk assessment assessed the sector to be at a high risk of money laundering exploitation and the position remains unchanged in the 2017 national risk assessment. Likewise, with respect to legal services, the 2015 national risk assessment assessed the money laundering risk to be high and the 2017 national risk assessment states that “[d]ue to the attractiveness of legal services to criminal and their continued prevalence in high-end money laundering…there is still assessed to be a high risk associated with abuse of legal services in money laundering.”[4] In short, it may be difficult for a legal services provider who properly adheres to the MLR 2017 when undertaking their firm risk assessment to properly conclude that their risk of exposure to money laundering is low.

UK Law Society Guidance – Risk Assessment

In September 2017, the UK Law Society released a draft of its guidance to the legal sector on the implementation of the MLR 2017.

MLR 2017 is more prescriptive, when compared to MLR 2007, in requiring firms and relevant persons to adhere to requirements relating to risk assessment and due diligence. MLR 2017 sets out the procedure that must be taken, in Regulation 18, by the relevant person to determine the business’s potential risk exposure to money laundering and terrorist financing. In practice, this means that the relevant person must produce a written AML risk assessment which addresses the business’s customers, geographic areas of operations and clientele, services offered, transactions, delivery channels in relation to the nature and size of the business. This assessment must be translated into written findings.

In relation to risk assessment, the guidance notes that “a comprehensive practice-wide risk assessment combined with appropriate risk-based judgments on individual clients and retainers will enable you to justify your decisions and actions to law enforcements, the courts and your supervisory authority.”[5] Many legal services and other industries feel as though they are operating in the dark with respect to the risk assessment; what, exactly, does it require? And how do you go about assessing the practice wide risk where your business is so varied? These are all valid questions to which the Law Society Guidance note provides some answers. The guidance advises that firms consider a range of sources to better understand the nature of the money laundering risks that are faced by firms. These resources can include the UK’s national risk assessment (as mentioned above), the EU’s Supranational Risk Assessment and the FATF’s risk-based approach guidance for legal professionals.

The guidance is particularly helpful in respect of distilling the type of factors that firms should have regard to. For example, it suggests that firms may want to have regard to ‘the length and strength of…typical client relationships’[6]. A high turnover of clients may indicate a greater money laundering risk as compared to a stable client base. A stable client base enables a firm to be in a better position to identify potential money laundering risks. The guidance lists particular higher risk sectors that clients may operate in. These sectors include public work contracts and constructions, real-estate and property development, the oil and gas industry, the nuclear industry, mining (including diamond mining and trading) and arms manufacturing/supply and defence industry. Clients who operate within these sectors, or those operating in higher risk geographic locations should be considered as having an elevated money laundering and terrorist financing risk.

The guidance also lists, repeating already well-known information, the particular services and areas of law that are considered to face the greatest money laundering risk. These areas are: misuse/abuse of client accounts, sale/purchase of real property, creation of trusts, companies and charities, management of trusts and companies and sham litigation. Each of these individual service areas and the money laundering risks are discussed in detail in the guidance. Firms who do not operate within these sectors are cautioned that other areas of risk do exist and as such, firms would be best place to ensure that the risk assessment enables staff to identify money laundering warning signs.

Helpfully, the guidance sets out mitigating factors that firms should have regard to when formulating their risk assessment and associated written policies.

Importantly, the guidance sets out how the risk assessment will be used in practice. In assessing the individual client risk and the retainer/matter risk the firm-wide risk assessment will play a central role. The regulations (regulation 28(12)(a)(i) and (ii) require that the in order to comply with CDD, both the firm wide risk assessment and the particular client/matter risk assessment must have been considered. A macro and micro assessment of risk has to be made and one will necessarily inform the other. The guidance states that with respect to a particular case, firms are required to take into account three matters: (1) the purpose of the transactions or business relationship; (2) the size of the transactions undertaken by the customer and (3) the regulatory and duration of the business relationship. The guidance goes on to provide a comprehensive list of other factors firms should consider with respect to the case.

The determination of risk can be mitigated by altering the CDD (Client Due Diligence) controls to address areas of risk concern. For example, the guidance provides: “[i]f you are satisfied that you have verified the client identity, but the retainer is high risk, you may require fee earners to monitor the transaction more closely, rather than seek further verification of identity.” [7] Or, “[i]f you have concerns about verifying a client’s identity, but the retainer is low risk, you may expend greater resources on verification and monitor the transaction in a normal way.”[8]

The Law Society Guidance on risk assessment concludes by noting, importantly, that risk assessment is an ongoing process for both “the practice generally and for each client, business relationship and retainer”.[9] Translated to practice, this means that should ‘something’ (e.g. client wishes to pay firm fees via a third party) come up during the business relationship, firms and fee earners should return to the risk assessment and re-consider whether this ‘something’ changes your assessment of the client risk, generally, and whether further mitigating measures are required in order to address the emerging or changing risk. Certainly, as the guidance notes,[10] the better firms know their client base and understand transactions and instruction, the better placed the firm will be to understand, foresee and mitigate against money laundering and terrorist financing risks.