Suddenly there is a sense of urgency around the UK's implementation of the fourth Money Laundering Directive (MLD4). Following Treasury's initial consultation on how to implement MLD4 in September 2016, it has now published the feedback to that consultation and the draft Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the MLR 2017). Time is now running short, and the legislation must be in force by 26 June. All businesses covered by MLD4 will need to make changes to their procedures, systems and controls to comply with the requirements not only of the MLR 2017, but also the new JMLSG and FCA guidance (for which consultations are starting to follow).
The changes, some nuanced, and some fundamental will cause all firms to reassess their AML and CTF policies and procedures. Treasury has taken the opportunity to give a complete overhaul to the existing Money Laundering Regulations. The legislation is so detailed it is not possible to address everything it covers in one article. This article focuses on the changes to due diligence that affect firms authorised under the Financial Services and Markets Act 2000 and other financial institutions covered by the MLR 2017. In this article, we refer to these as "firms", although in the speak of the MLR 2017 they are part of the wider community of "relevant person".
Who must carry out risk assessments?
Chapter 2 sets out the duties of each of:
- Treasury and the Home Office
- The supervisory authorities
- Relevant persons.
in respect of risk assessments. The assessments firms must do should identify and assess the risks of money laundering and terrorist financing to which their businesses are subject, taking into account information the supervisory authorities make available to them and other risk factors, including the familiar ones of customers, geography, products and services, transactions, and delivery channels. The assessment must take into account the size and nature of the business, and the firm must keep an up-to-date written record of what it has done, unless its supervisor tells it otherwise (which it can do only if it considers the risks in the relevant sector are clear and understood).
The obligations on the Government and supervisors to carry out risk assessments should be helpful to the firms who are then obliged to carry out their own assessments – but it will also mean that these assessments will need to show how they have considered the wider picture these additional reviews provide.
What risk mitigation policies should firms have?
Regulation 19 obliges firms to establish and maintain policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing identified in any risk assessment they undertake, and to keep a written record of them. These must be both proportionate to the size and nature of the firm's business and approved by its senior management (which means an officer or employee who has sufficient knowledge of the firm's ML/TF risk exposure and is of sufficient authority to take decisions regarding its risk exposure). They must include:
- Risk management practices
- Internal controls (which, proportionate to the size and nature of business, should include:
- appointing a board member as the person responsible for compliance with the MLR 2017
- carrying out screening of all relevant employees and agents, both before appointment and at regular times during it. "Screening" means assessing the skills, knowledge and expertise of the individual to carry out their functions effectively and of their conduct and integrity; and the screening must cover any person whose work is relevant to the relevant person's compliance with the MLR 2017 or otherwise capable of contributing to ML/TF risk identification or mitigation or to its detection or prevention
- establishing an independent audit function to examine and evaluate the adequacy and effectiveness of the policies, recommend change and monitor compliance with the recommendations
- appointing a person as nominated officer, and informing the supervisory authority of the identity of both the person responsible for compliance and the nominated officer
- e-money issuers must appoint an individual to monitor and manage compliance with, and communication of, internal controls and procedures on the policies mentioned below with a particular view to identifying high risk situations, keeping records, applying measures to ensure the risks are taken into account in new products and dealing with new customers and business changes; and that senior management is briefed at least annual on the operation and effectiveness of the policies
- keeping systems to enable full, rapid responses to financial investigators and other enforcement officers on whether the relevant person has, or has had in the past five years, a particular business relationship and, if so, the nature of it
- e-money issuers and payment service providers must have a central UK contact if requested to do so
- authorised persons supervised by FCA must inform FCA of any intention to act as a money service business or a trust or company service provider (or if they cease to do so)
- taking appropriate measures to ensure its relevant employees and agents are made aware of the law relating to ML, TF and data protection, and are regularly given training in how to recognise and deal with transactions and other activities which may be related to money laundering or terrorist financing.
- Customer due diligence
- Reporting and record keeping
- Monitoring and management of compliance with, and the internal communication of, such policies, controls and procedures
Moreover, the MLR 2017 mandate that the policies should include those:
- Which provide for identification and scrutiny of any case where there is no apparent economic or legal purpose and the transaction is unusually large or complex or presents and unusual pattern of transactions, and of any other activity which the relevant person regards as particularly likely by its nature to be related to money laundering or terrorist financing
- Which specify additional measures to be taken where appropriate to prevent the use for ML/TF purposes of products that might favour anonymity
- Which ensure the firm assesses and mitigates the ML/TF risks that might occur when it adopts any new technology
- Under which any person who knows or suspects that a person is engaged in ML or TF, or has reasonable grounds for doing so, is required to comply with the relevant provisions of the Terrorism Act (TA) or the Proceeds of Crime Act 2002 (POCA).
Where relevant, these policies must be communicated to its branches and subsidiaries outside the UK.
Where the firm is a parent undertaking of a group, it must ensure the policies apply to all its subsidiaries, whether within or outside the UK, and its non-UK branches where the branch or subsidiary is carrying on relevant business. The parent must also establish and maintain policies, controls and procedures for data protection and information sharing within the group for the prevention of ML/TF, and keep a written record of these. Where there are subsidiaries and branches in the EEA, the parent must ensure that these offices follow the local laws implementing MLD4. Otherwise, they must ensure third-country operations apply measures at least equivalent to UK measures so long as local laws allow it. If they encounter issues with local laws, the parent must tell its supervisor and take additional measures to address the ML/TF risks.
What are the requirements on customer due diligence
Chapter 1 of Part 3 sets out the basic obligation (in Regulation 27) that a firm must apply customer due diligence (CDD) measures when they:
- Establish a business relationship
- Carry out an occasional transaction that amounts to a transfer of funds of over €1,000
- Suspect ML or TF
- Doubt the veracity or adequacy of documents or information previously obtained for identification or verification.
Relevant persons who are not high value dealers or casinos must apply CDD if they carry out any occasional transaction amounting to €15,000 or more. Particular rules apply to high value dealers and casinos, which are outside the scope of this article.
Where a firm has to apply CDD measures, it must:
- Identify any customer unless the customer's identity is known to and has been verified by the relevant person;
- Verify the customer's identity on the basis of documents obtained from a reliable source which is independent of the customer; and
- Assess, and where appropriate obtain information on, the purpose and intended nature of the business relationship or transaction.
The regulations are prescriptive on the information that must be obtained about a body corporate, and on the requirement to identify and to take reasonable steps to verify the identity of its beneficial owner (unless the company is listed on a regulated market). They also provide that if the firm has exhausted all possible means of identifying the beneficial owner but has either not succeeded in doing so or doubt whether the individual identified is in fact the beneficial owner, then the firm can treat the senior person responsible for managing the customer as its beneficial owner. The MLR 2017 make it clear that a firm cannot meet the standards required simply by referring to the relevant register of people with significant control.
There is also an obligation to identify and verify the identity of a person who purports to act on behalf of the customer – and the verification must be done on the basis of documents or information obtained from a reliable source that is independent of both that person and the customer.
Ongoing monitoring standards and suspicion reporting
Firms must conduct ongoing monitoring of business relationships, including scrutinising the transactions to ensure they (and the source of funds for them) is consistent with the knowledge of the customer, its business and risk profile; and undertaking reviews of records and keeping CDD documentation and evidence up to date. This must be done on a risk-based approach.
Where a firm has undertaken CDD and also has made a suspicious activity report (SAR), then if continuing to apply CDD would result in tipping off, then the firm does not have to continue to apply CDD.
Firms must be able to satisfy their supervisors that the extent of measures they have taken to satisfy the CDD requirements are appropriate in the light of their own, and their supervisory authority's, risk assessments.
There are particular rules for particular products. Where a firm is providing a customer with a contract of long-term insurance, it must also take the full name of the beneficiary(ies) or get enough information to be satisfied it will be able to establish the identity of the beneficiary at any time when there is a pay out. Then, they must verify the identity of any beneficiary before making a pay out (including identifying any new beneficiaries if the policy has been assigned). Similarly, no payout should be made to a beneficiary under a trust or similar arrangement until the beneficiary has been identified and verified.
Verification must happen before the establishment of the business relationship or the carrying out of the transaction, but may be done during the establishment of the relationship if it is necessary not to interrupt the normal conduct of business and there is little ML/TF risk. There must also be adequate safeguards in place to ensure that no transactions are carried out before verification has been completed, if an account is opened beforehand.
Firms must not carry out any transaction or establish a business relationship, and must terminate any existing relationship, if they are unable to apply CDD measures. They will also need to consider whether to make a SAR. They may return money to the person who deposited it, provided they have consent under POCA or the TA (if necessary).
There is an exception for trustees of debt issues, where a firm is appointed by an issuer as trustee or whose customer is such a trustee. Where the instruments in question are debt instruments or government or public securities, no CDD is necessary,
A firm must apply EDD and enhanced ongoing monitoring in addition to the CDD described above, where:
- There is a high risk of ML/TF
- Any transaction or business relationship is with a person in a high risk third country (except where it is a branch or majority owned subsidiary of an undertaking which is within the EEA and subject to MLD4, the customer in question applies group-wide policies and the relevant person has determined on a risk-based approach, that it is not necessary to apply EDD)
- There is a correspondent banking relationship
- The firm has determined a customer or potential customer is a PEP or a family member or known close associate of a PEP
- The customer has provided false or stolen identification documents or information;
- The transaction is complex and unusually large, or there is an unsual pattern of transactions, in either case if the transaction(s) have no apparent economic or legal purpose
- Where, by its nature, the case could present a higher risk of ML/TF.
Where EDD is applied, it must include:
- As far as reasonably possible, examining the background and purpose of the transaction
- Increasing the degree and nature of monitoring of the relevant relationship to determine whether the transaction or relationship appear to be suspicious.
EDD may also include:
- Getting additional independent, reliable sources to verify information
- Taking additional measures to understand the background, ownership and financial situation of the customer and other parties to the transaction
- Taking further steps to be satisfied the transaction is consistent with the purpose and intended nature of the relationship
- Increasing the monitoring of the relationship.
When assessing whether there is a high ML/TF risk and what to do to manage and mitigate it if there is, firms must take account of at least:
- Customer risk factors including who and where the customer is and the circumstances of the business relationship
- Product, service, transaction or delivery channel risk factors, including the type of service, anonymity and non face-to-face business, the use of nominees and who payments will be received from
- Geographical risk factors including assessment reports from credible sources of ML/TF or corruption risks, whether sanctions are in place, and whether the countries provide support for funding terrorism
- Any guidance issued by the ESAs.
If a credit or financial institution wants to enter into a correspondent relationship with an institution from a third country, it must:
- Get enough information about the respondent to fully understand its business
- Determine the reputation of the respondent and how it is supervised – from publicly available information from credible sources
- Assess the respondent's AML and CFT controls
- Get senior management approval
- Document the responsibilities of respondent and correspondent and
- Be satisfied that, for any of the respondents' customers who have direct access to the correspondent's accounts, that the respondent has verified the customers' identity and conducts ongoing monitoring, and can provide within two working days of a request, the evidence they have gathered.
There can be no relationships with shell banks, and enhanced measures should be applied to ensure institutions do not enter into correspondent relationships with institutions that are known to allow shell banks to use their accounts.
New anonymous accounts and passbooks are banned, and CDD must be applied to any in existence at the date the MLR 2017 take effect.
Firms must have in place appropriate risk-management systems and procedures to determine whether a customer or its beneficial owner is a PEP, family member or known close associate of a PEP and to manage the enhanced risks that arise from a relationship with that person. In putting in place their systems and procedures, firms should take account of their own risk assessments and the level of ML/TF risk inherent in their business, the extent to which a relationship with a PEP (or related person) would increase the risk and any relevant information available from supervisory authorities.
If the determination is positive, then the firm must assess the level of risk associated with the particular customer and the extent of the EDD that should be applied. This in turn will also depend on available supervisory guidance and reports. If the determination is to carry on with the relationship, the relationship must be approved by senior management, and the firm must take adequate measures to establish the source of wealth and funds involved, and then conduct enhanced ongoing monitoring.
Where the product involved is long-term insurance, the firm must take reasonable measures to determine whether one or more beneficiary is a PEP or related person, and ensure senior management approval is obtained before any payout is made to such a person, and must scrutinise the ongoing entire business relationship on an enhanced basis, even where the policyholder is not a PEP or related person. Firms may stop applying EDD measures to PEPs from 12 months after they cease to hold the function, but may apply them for longer.
When can firms use simplified due dilegence (SDD) ?
Firms may apply SDD if they determine the business relationship or transaction presents a low degree of risk of ML/TF, having taken into account their own risk assessment, relevant supervisory information, and:
- Customer risk factors (including if the customer is publicly owned, resident in a low-risk jurisdiction, itself subject to MLD4 or is listed on a regulated market (and where the market is))
- The product, service, transaction or delivery channel risk (including if the product is a low-premium life insurance policy, is an employer-funded pension scheme, is a product designed for financial inclusion, is a product that inherently manages ML/TF risks, is a Child Trust Fund or junior ISA etc)
- Geographical risk factors (is the customer in an EEA state or other third country with good AML/CFT systems, with a low level of corruption and subject to favourable reports.
Where a firm applies SDD, it can adjust the extent of CDD measures; and it must also carry out monitoring that would enable it to detect any unusual or suspicious transactions. It must also take account of ESA guidelines, and must no longer apply SDD if it doubts the accuracy of documents provided, change the risk assessment or if it suspects money laundering or terrorist financing.
Firms may treat EEA-based solicitors' pooled accounts with SDD provided the overall relationship is low risk, and information on the identity of the persons on whose behalf the monies are held would be available within two days of request.
Is reliance still possible?
Reliance is still possible under the MLR 2017. A firm may rely on another person who is subject to the MLR 2017 or equivalent to carry out CDD, but only if it obtains from that third party significant amounts of the CDD information required and enters into a written agreement with the third party under which the third party agrees to provide within two working days of a request to do so copies of any identification and verification data on the customer or its beneficial owner, and agrees to keep records for the periods the MLR 2017 require.
The MLR 2017 confirm that firms are permitted to rely on CDD carried out by other group companies, provided these are carried out to MLD4 standards under the supervision of an appropriate MLD4 supervisor. They also confirm firms may outsource CDD, but again will remain liable for any failures.
What CDD records must be kept?
In principle, copies of all relevant documents and information, with sufficient supporting records in respect of transactions to enable the transaction to be reconstructed must be kept for 5 years from the date the firm knows, or has reasonable cause to believe, that the transaction is complete or that the business relationship has come to an end.
At the end of that period, any personal data must be deleted unless there is a legal requirement to keep it or the data subject has expressly consented.
Firms who are relied on by others must keep records for 5 years from the date the reliance stated in relation to any business relationship or transaction, and must provide any information requested within two working days of the request.
How does this sit with data protection?
Any personal data obtained for the purposes of complying with the MLR 2017 may only be processed for the purposes of preventing money laundering and terrorist financing.
What if a firm gets it wrong?
The supervisory authority may take a number of actions for breach of various "relevant requirements", which are listed and include the requirements imposed by several individual regulations and relate to CDD. It is outside the scope of this article to address each particular offence and how regulatory action may result. Suffice it to say there can be civil, administrative or criminal penalties, that individual officers may also be liable and that where offences are committed by corporates they may be appropriate for resolution by deferred prosecution agreement.
What should firms be doing?
The MLR 2017 are still in draft, as are the amended JMLSG Guidance notes. However, they are unlikely to change much, and firms should be prepared for these to be the requirements that will apply from late June. Looking at the mark up of the JMLSG Guidance, firms may take some comfort from the fact it has not been necessary to undertake a wholesale re-writing. However, this does not of itself mean they should be complacent that only slight changes to their CDD policies and procedures are needed. At the very least, firms will need to:
- Revise their policies and procedures so they factor in national and EU risk assessments and guidance
- Ensure appropriate individuals are appointed to key risk management and ML/CT prevention positions
- Review their CDD policies to ensure all required elements are captured
- Amend their EDD policies in light of the stringent MLD4 requirements.