Speed Read: The Money Laundering Regulations 2017 (UK) entered into force on 26 June 2017, having been laid before Parliament and approved on 22 June. As regulated persons now move swiftly to ensure compliance, the immediate question is: how different is the draft Regulations, published in April, from the final product? Four key differences and additions are identified and explained.
On 26 June 2017 the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLR 2017”) came into force, having been made, laid before Parliament and approved all on 22 June 2017. Regulated businesses are now faced with the inestimable task of ensuring both their firm-wide and client-specific risk assessment processes and procedures are sufficiently robust to comply with MLR 2017 – after the commencement date. Against this background, one immediate question is: how different really is the finalised MLR 2017 from the draft published by HM Treasury in April 2017 for public consultation? Following a detailed comparative analysis of the draft Regulations and the final product, key differences are identified below.
Risk assessment and review
Chapter 2 of Part 1 of MLR 2017 is dedicated to the performance of multi-layered risk assessments. The requirement to perform a risk assessment is present across all levels of the UK approach to anti-money laundering from the top down. At a national level, under Regulation 16, the Treasury and Home Office must arrange a money laundering and terrorist financing risk assessment for the UK by mid-2018. A similar requirement, under Regulation 17, applies to all industry supervisory authorities to identify and assess money laundering and terrorist financing risks present in their sector. Regulation 18 extends the duty to perform a risk assessment to each regulated business. At the business level, two risk assessments are required. A business-wide risk assessment of money laundering and terrorist financing risk, following a consideration of customer type, geographical features, transactions, products and delivery channels, as well as a specific risk inquiry prior to the commencement of each client relationship and, indeed, during the course of the relationship.
Under Regulation 19, policies and procedures must established and maintained by a regulated business, proportionate to the level of risk identified. Analysis of Regulation 19, however, reveals that the MLR 2017, now in force, contains an additional duty that was not present in the circulated draft. Beyond establishing and maintaining proper risk controls, a positive duty on regulated businesses to “regularly review and update” such policies and controls has been inserted in Regulation 19(1)(b). Businesses will also be required to maintain a written record of all changes to AML policies, controls and procedures made as a result of a review and all “steps taken to communicate” the changes to staff. A similar requirement applies in Regulation 20 to parent companies in the UK, falling within the scope of a “relevant” (regulated) person.
Proportionality and screening
All this said, the enlarged duties in Regulation 19 are tempered by a clear endorsement of the proportionality principle. Regulation 19(2) expressly recognises that all policies and procedures adopted by a regulated business must be “proportionate with regard to the size and nature” of the business. Certainly, this will be welcome news for small businesses who, during public consultation on the transposition of the EU Fourth Money Laundering Directive, expressed concerns about the onerous compliance burden.
Beyond this, alongside the need to implement and regularly review AML policies and procedures, is a requirement in Regulation 21 that regulated persons implement internal controls applicable to employees engaging with compliance matters. Previously, the draft Regulations required a firm to “carry out screening of relevant employees and agents” at regular intervals. “Screening” refers to assessing the skills, knowledge and expertise of a particular individual. The final version of the Regulations, however, has slightly lessened the compliance burden in one respect by dropping the reference to “agents” in Regulation 21.
A duty to maintain written records of training given to relevant employees, which practically would include all fee earners and those in the Compliance function, also appears in Regulation 24. No such duty featured in the draft Regulations.
Transfer of funds and cooperation
Regulation 63 of MLR 2017 imposes a positive duty on transfer of funds supervisory duties to effectively monitor payment service providers (“PSPs”), take measures to secure PSP compliance with the regulation as it relates to funds transfer and encourage PSPs to report breaches. Alongside these duties, a positive duty appears in Regulation 63(d) for such supervisory authorities to “take such steps as it considers appropriate” to “cooperate” with other supervisors, the Treasury and law enforcement agencies in relation to developing policies to counter money laundering and terrorist financing, and beyond this to cooperate with overseas authorities. Significantly, cooperation is expressly recognised as encompassing the sharing of information.
Although the steps required to be undertaken by a transfer of funds supervisory authority is a matter of discretion, a positive requirement for a particular sector to cooperate with law enforcement is certainly an interesting development of the UK’s AML framework. The requirement to cooperate extends to all PSPs established in the UK, even if its head office is in another country or those operating elsewhere but with a UK office.