Businesses affected by the new guidance should review their AML procedures in light of it

On 22 July 2022, HMRC issued updated guidance on anti-money laundering (AML) procedures for estate and letting agency businesses registered with HMRC. This guidance replaces HMRC's previous guidance that was last updated in May 2019.

Estate agency is defined very broadly for the purposes of the guidance and associated AML regulations. This can include businesses that are construction companies (in particular, developers), social housing providers and asset management companies.

Since the guidance was issued, it appears that HMRC may be taking a more proactive approach as agency supervisor, and we are already assisting clients in responding to HMRC compliance requests.

HMRC's increased proactivity is perhaps unsurprising given the increased media attention on money laundering in the UK. In February 2022, due diligence provider Credas reported that money laundering costs the UK approximately £88 billion a year, making it the second global money laundering hotspot following only the United States.

What does the new guidance address?

The guidance addresses nine key areas:

  • money laundering and estate agency and letting agency businesses;
  • estate agents and letting agents;
  • responsibilities of senior managers;
  • risk assessment and policies, controls and procedures;
  • customer due diligence;
  • reporting suspicious activity;
  • record keeping;
  • staff awareness;
  • estate agency or letting agency business risk

Who is responsible for AML oversight in a company?

Under the guidance, senior managers are responsible for the oversight of compliance. If they do not "take the steps necessary to protect their business", they can be held personally liable.

A senior manager is an officer or employee with sufficient knowledge and authority to make decisions affecting the business's exposure to money laundering. Directors, managers and chief executives are clear examples; other individuals who may be caught include anyone carrying out a similar or related function.

Senior managers must ensure their business has carried out a risk assessment and has in place policies, controls and procedures to reduce the risk of money laundering. The size of the business will impact the level of controls in place. At minimum, a senior manager must:

  • identify, assess and manage effectively, the risks that the business may be exploited to launder money or finance terrorists;
  • take a risk-based approach to managing these risks, focusing more effort on high risks;
  • appoint a nominated officer to report suspicious activity to the National Crime Agency; and
  • devote enough resources to address the risks of money laundering and terrorist financing.

What could HMRC be focusing on?

While it is too early to judge this definitively, in the initial stages HMRC may focus on ensuring that businesses have undertaken an objective risk assessment and have effective policies and procedures in place to mitigate against the risks identified.

What is a risk assessment?

This is how a business identifies the risks it is exposed to from its customers, geographical areas of operation, services provided, the types of transactions undertaken and its delivery channels .

The assessment should act as a guide for developing customer risk assessments and when considering the level of due diligence required for customers.

It must be written and regularly reviewed. The assessment should be provided to HMRC when requested and the information on which the assessment was based may also need to be provided.

What policies, controls and procedures should be in place?

Each business should have a written statement setting out its AML policy, plus the necessary controls and procedures to manage the risk exposure identified in its risk assessment.

The AML policy should explain how the business will carry out its customer due diligence obligations, what procedures, controls and staff training will be put in place, how to make suspicious activity reports, who the relevant officers are and how records will be kept and reviewed.

Controls and procedures will vary depending on the business and the activities it undertakes. However, there should at least be systems in place to monitor risks and business relationships, staff training, systems to assess the level of due diligence required and robust controls to reflect the risk characteristics of the clients.

Policies, controls and procedures should be periodically reviewed and updated. The guidance emphasises that these are not simply a box-ticking exercise.

What should businesses be doing now?

Considering HMRC's possible new stance, all businesses that undertake estate or letting agency work should review their AML procedures as a priority. The following should be done without delay:

  • conduct a risk assessment, or review any existing one; and
  • prepare, or review and update, policies, controls and procedures to show how the business will manage the risks identified.

Additionally, as a matter of routine, businesses should ensure that they continue to comply with their AML obligations under AML regulations. This will include:

  • ensuring that relevant staff are appropriately trained to implement their policies;
  • ensuring that all policies, controls and procedures are communicated and applied to subsidiaries and branches (including outside the UK);
  • monitoring the effectiveness of the policies, controls and procedures so they can be improved where required; and
  • having systems to identify and address higher risk transaction, including those involving high risk jurisdictions or politically exposed persons.