The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 came into force on 26 June 2017; implementing the EU’s Fourth Money Laundering Directive and replacing the 2007 Regulations.

The 2017 Regulations signal a shift away from a prescriptive approach, towards one requiring regulated businesses to consider and act on the specific risk factors they face.

Who do the 2017 Regulations apply to?

The 2017 Regulations apply to: credit and financial institutions, auditors, insolvency practitioners, accountants and tax advisers, legal professionals, trust or company service providers, estate agents, high value dealers (earning at least €10,000 on a trade of goods) and gambling providers. Certain of the Regulations will also apply to auction platforms.

The 2017 Regulations provide an exemption for persons engaging in financial activity “on an occasional or very limited basis“, as defined by the fulfilment of all criteria in Regulation 15(3).

What are the key provisions and changes?

The 2017 Regulations do not provide a complete overhaul of the previous legislation. Instead, businesses will now be required to adopt a more risk-based approach to their anti-money laundering procedures and controls, including their customer due diligence measures.

Key changes for regulated businesses and their MLROs include:

Risk assessments:

  • Regulated businesses are required to undertake written risk assessments to identify the risks posed to their specific business by money laundering and terrorist financing (Regulation 18).
  • The 2017 Regulations specify a number of factors which must now be considered during these risk assessments, including: geographic areas of operation, customers, the types of services and products, and the nature of transactions.
  • Risk assessments must be made available to the relevant supervisory authority on request.

Policies, controls and procedures:

  • Written policies, controls and procedures (as approved by senior management) must be put in place in order to manage and mitigate the risks identified in the firm’s own risk assessment (Regulation 19). These procedures must include customer due diligence and regular training for relevant employees.
  • Subject to limited exceptions, a firm must communicate and apply its policies, controls and procedures under the 2017 Regulations to its branches and subsidiaries – including those located outside the UK.

Customer due Diligence (CDD):

  • Part 3 of the 2017 Regulations sets out the circumstances in which CDD must be applied for new and existing customers.
  • ‘Simplified CDD’ is no longer deemed automatically sufficient in any circumstances. Now, businesses must always consider the applicable risk factors (taking into account their risk assessments), and consider what level of CDD is appropriate.
  • ‘Enhanced CDD’ and enhanced ongoing monitoring are compulsory in certain high-risk situations, such as transactions or business relationships involving a ‘high-risk third country’, or where the customer is a politically exposed person (PEP).
  • Firms must have appropriate risk-management systems in place to identify whether customers or their beneficial owners are PEPs – or family members or known close associates of a PEP. Enhanced CDD measures must now be applied to a person for at least 12 months after they cease to be a PEP.

Employee screening and training

  • Regulation 21 sets out a requirement for the screening of relevant employees.
  • A relevant employee is defined as anyone whose work is:
    • relevant to the firm’s compliance with any requirement in the Money Laundering Regulations; or
    • otherwise capable of contributing to the:
      • identification or mitigation of the risks of money laundering/ terrorist financing to which the firm is subject; or
      • prevention or detection of money laundering/ terrorist financing in relation to the firm’s business.
    • Screening of relevant employees means an assessment of:
      • the skills, knowledge and expertise of the individual to carry out their functions effectively; and
      • the conduct and integrity of the individual.
    • The screening obligation will only applied to firms where “where appropriate with regard to the size and nature of [their] business“.
    • On training, Regulation 24 requires that relevant employees are:
  • made aware of the law relating to money laundering and terrorist financing, and to data protection; and
  • regularly given training in how to recognise and deal with transactions and other activities which may be related to money laundering and/or terrorist financing.

Investigations and enforcement: new criminal offence:

  • Part 8 of The 2017 Regulations makes extensive provision for the investigation of breaches of AML requirement. We anticipate that, in line with the statements made in the FCA’s 207/2018 Business Plan, the FCA will treat AML breaches with increasing severity.
  • To this end, Part 9 of 2017 Regulations creates a new criminal offence, whereby any individual who recklessly makes a false or misleading statement in the context of a money laundering investigation may now face a fine or up to 2 years’ imprisonment.

Practical guidance

The FCA has indicated that it will look to use its powers under the 2017 Regulations to prosecute firms which have poor AML controls in place. It is essential that relevant businesses act now to take detailed legal advice on the 2017 Regulations. In particular:

  • Relevant staff should familiarise themselves with the new 2017 Regulations and training should be provided, particularly for staff conducting CDD.
  • The changes to CDD requirements (removal of the automatic application of simplified CDD and new obligations to perform enhanced CDD) must be immediately implemented into firms’ CDD policies.
  • Detailed written risk assessments, complying with the requirements set out in the 2017 Regulations, need to be conducted.
  • Following on from the risk assessments, AML policies, internal controls and procedures should be reviewed and brought up to date – referencing the risk assessments.
  • Businesses should look out for sector-specific guidance, still to be published. The FCA has recently completed a consultation on its own guidance and procedures and is due to release a policy statement in July 2017.