Measures are limited but potentially significant, including bringing cryptoassets within the scope of regulation and broadening enhanced due diligence to all transactions involving high-risk third countries.

The Money Laundering and Terrorist Financing (Amendment) Regulations 2019 (the Regulations) came into force on 10 January 2020, implementing the Fifth EU Money Laundering Directive (5MLD) and updating the UK’s anti-money laundering (AML) regime to incorporate international standards set by the Financial Action Task Force.

The Regulations make limited but potentially significant amendments to the UK’s AML regime through the amendment of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs), which implemented the Fourth EU Money Laundering Directive.

We summarise some key changes in this briefing.

Expansion of the regulated sector

The Regulations bring the following businesses within scope of the regulated sector:

  • cryptoasset exchange providers;
  • custodian wallet providers;
  • art market participants; and
  • letting agents.

Firms in these areas will now be required to conduct AML due diligence and undertake monitoring to identify suspicious transactions.


One noteworthy area in which the UK has decided to “gold-plate” the requirements of 5MLD is in respect of cryptoasset activities. The Regulations broaden the definition of “virtual currency” in 5MLD, using instead the definition of “cryptoassets” to capture all relevant activity involving exchange, security and utility tokens for the purposes of AML/CTF regulation. The Regulation also confines the scope of cryptoassets to those using distributed ledger technology.

Cryptoasset businesses carrying out regulated activities in the UK are required to register with the Financial Conduct Authority (FCA), with transitional provisions applying for existing providers. Those that fail to register by 10 January 2021 will be required to cease trading.

Further information on the new requirements that apply to cryptoasset businesses can be found on the FCA’s recently updated webpage.

Customer due diligence

The Regulations impose a requirement for relevant persons to take reasonable measures to understand the ownership and control structure of their customers. Reasonable measures must also be taken to verify the identity of senior managing officials when the beneficial owner of a corporate cannot be identified.

The use of electronic identification processes is now permitted where these are independent of the person whose identity is being verified, secure from fraud and misuse, and capable of providing an appropriate level of assurance. Guidance is to be issued by HM Treasury giving further detail on this aspect.

The circumstances in which the customer due diligence exemption applies for low-risk e-money products have been narrowed. As from 10 July 2020, there will be new requirements for credit institutions or financial institutions acting as an acquirer for payment using an anonymous prepaid card issued in a third country.

High-risk countries

The Regulations broaden the need to undertake enhanced due diligence (EDD) by extending the requirement to all transactions involving a high-risk third country. Previously this requirement has been limited to customers established in a high-risk country. In practice, this change will necessitate EDD being undertaken where any party to a transaction, and not simply the customer, is established in a high-risk country.

If this trigger is engaged, the following measures will be needed:

  • obtaining additional information on the customer and on the customer’s beneficial owner;
  • obtaining additional information on the intended nature of the business relationship;
  • obtaining information on the source of funds and source of wealth of the customer and of the customer’s beneficial owner;
  • obtaining information on the reasons for the transactions;
  • obtaining the approval of senior management for establishing or continuing the business relationship; and
  • conducting enhanced monitoring of the business relationship by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination.

Companies House report

The Regulations introduce a new obligation on firms to report to Companies House any discrepancy between beneficial ownership information on the People with Significant Control Register and information which the firm receives through its due diligence.

The precise detail for this is not yet clear, but it is an interesting development that imposes a secondary policing obligation on all businesses that are subject to the Regulations.

Assisting enforcement

The Regulations will require (by 10 September 2020) new national bank account registers in each Member State to enable easy access by law enforcement and supervisory authorities to bank account information for all accounts held in each state. The registries will all be interconnected, and the new obligations will require credit institutions and providers of safe custody services to have systems that will enable them to respond, using a central automated mechanism, to a request for information made by a law enforcement authority or the Gambling Commission. Information can be requested by enforcement agencies even where no Suspicious Activity Report has been filed.

When do firms need to comply?

The FCA expects firms to comply with the amended MLRs from 10 January 2020. However, save in respect of certain cryptoasset activities, the FCA is exercising a degree of regulatory forbearance given that the Regulations were only published on 20 December 2019. In assessing its approach to firms that may not be compliant on that date, the FCA has stated that it will take into account evidence that they have taken sufficient steps before that date to comply with the new obligations.

The changes to the MLRs, now implemented in the Regulations, reflect the continuing heightened focus on financial crime, not least in an effort to tackle sources of terrorist funding. In this respect, the efforts to marry up information held by different bodies and the requirement on businesses to report inconsistences that they detect demonstrate the direction of travel.

While the UK will cease to be subject to EU law at the end of the Brexit transition period, it is highly likely that all the requirements of 5MLD, and its predecessors, will be adopted in the UK and remain a critical part of UK law enforcement efforts.

The Regulations also provide a timely reminder to firms within the regulated sector to review and, if necessary, refresh their AML procedures.