Late 2018 and early 2019 saw a flurry of regulatory developments and proposals relating to anti-money laundering. We have reported on these in brief in our regular corporate crime updates, but for those who have been – for example – too immersed in Brexit to read the underlying documents in detail, we have taken this opportunity to bring together an overview of, and commentary on, a number of recent anti-money laundering/counter-terrorist financing (“AML/CTF”) developments.
1. Financial crime data returns In November 2018, the FCA published its first report (the "Report") on aggregate data drawn from firms' annual financial crime data returns (REP-CRIM). REP-CRIM was required to be completed by over 2,000 firms, including all UK-based banks and building societies. It is fair to say that it is difficult to draw many compliancerelevant conclusions from the published data. For example, the Report identifies that institutions submitting the return had a total of 549 million customer relationships, of which 0.02% were PEP relationships, 0.29% were classified as high risk for other reasons, and 0.23% were linked to high risk jurisdictions. If significantly more than 0.2% of your customers are PEPs, does this make you an outlier? Not necessarily, as the data is aggregated across very different institutions in terms of size, product line and customer base, and must therefore mask significant differences between firms. Further, the most important question for any firm is not its absolute number (or percentage) of PEP or other high risk customers, but rather whether it has adequate controls to manage the increased risk such customers may present. Similarly, the number of suspicious activity reports 12 MARCH 2019 London Table of contents 1. Financial crime data returns 2. EU list of high risk third countries 3. Anonymous safety deposit boxes 4. Money laundering risks in the Emoney sector 5. Decision Notice: FCA imposes penalty on CEO for AML failings 6. Money laundering supervision in the UK 7. FATF mutual evaluation of the UK 8. FATF guidance on a risk-based approach to the securities sector 9. Other FATF developments of interest: virtual assets and DNFBPs 10. Reform to the UK's suspicious activity reporting regime 11. The scale of money laundering in the UK 12. Amendments to the Financial Crime Guide 13. Brexit 14. Conclusion 15. Contacts 1 2 3 4 5 9 11 12 12 13 14 14 16 18 18 Related links HSF FSR and Corporate Crime notes 54786947 // 1 ("SARs") escalated within firms (922,544) or filed with the NCA (363,153), provides little basis for comparative analysis. What will no doubt be of more interest to the FCA but is not apparent from this report is the changes in these statistics for particular firms or types of firm over time, and, to the extent comparisons can safely be made, differences between comparable institutions. The section of the report which has the most potential utility relates to firms' assessment of jurisdictional risk. This presents an aggregated table showing which territories were most often classified as high risk by FCA/PRA regulated firms. The data comes with a number of caveats: it represents views on financial crime risk rather than just AML/CTF risk; some countries may have been rated high risk less often because fewer firms had occasion to risk assess those countries; and more generally the first REP-CRIM return was required to be compiled on a 'best efforts' basis. The FCA also makes clear that this ranking does not represent the FCA's opinion no doubt recalling the controversy that surrounded the publication some years ago of the high risk country list which at that time the FCA was using in supervisory visits. Nonetheless, in circumstances where firms are forced to spend significant time and resource individually undertaking country risk assessments on the basis of relatively high level guidance, it is useful to have a cross-check on the conclusions other firms have drawn about the risk presented by particular countries. This section of the Report therefore merits closer review. For example, if there is a jurisdiction which generally appears to be viewed as very high risk, which your firm has assessed as low risk, this may be a prompt to reconsider the basis for your firm's risk assessment. (That said, there are few surprises in the top-ranked jurisdictions, or indeed in the jurisdictions at the bottom end of the list that are least frequently ranked as high risk). The report is also of some interest in providing a sounder evidential basis for estimates of the total cost of financial crime compliance (conservatively estimated as 650 million in terms of staff costs), and the role of the financial sector in assisting law enforcement firms received 123,028 investigative court orders during the reporting period, with 15,930 restraint orders in effect). The report also contains a ranking of firms' views of the most prevalent fraud types (although this field was optional and not completed by all firms). This supports the not very startling conclusion that cyber-crime of various types is a key concern, with frauds enabled by new technology widely perceived to be growing in volume faster than a number of more traditional fraud types. 2. EU list of high risk third countries A more recent development relating to jurisdictional risk is the controversy surrounding the most recent iteration of the EU list of 'high risk third countries'. Readers will be aware that the Fourth Money Laundering Directive1 ("4MLD"), and thus the UK Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 ("MLR 2017"), require enhanced due diligence ("EDD") to be conducted on customers in 'high risk third countries' ("HR3C"). These are countries identified as such by the European Commission via a delegated regulation adopted under Article 9(2) of 4MLD. Firms may, of course, need to conduct EDD when dealing with customers in other jurisdictions they have assessed as high risk, but where a customer is established in an HR3C, this tips them automatically into EDD2 . Until recently, the Commission's list comprised countries assessed as high risk aligned with the FATF socalled dark grey list, and as such was relatively uncontroversial. Indeed, the main debate concerning the list was the countries that were not on it rather than those that were; following the adoption of the first list, and in 1 Directive 2015/849/EU of the European Parliament and of the Council of 20th May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing. 2 Save where the customer is a branch or majority owned subsidiary of an EEA entity (which is subject to national law implementing 4MLD and supervised for compliance), the customer complies fully with relevant group-wide AML policies and procedures, and the firm, taking a risk-based approach, does not consider it necessary to apply EDD (MLR 2017, reg.33(2)). 54786947 // 2 light of the Panama Papers scandal, the European Parliament had called for the inclusion of more jurisdictions. On 13 February 2019, the Commission published a list of 23 countries assessed as having strategic deficiencies in their AML/CTF regimes, comprising 12 countries listed by FATF (the Bahamas, Botswana, the DPRK, Ethiopia, Ghana, Iran, Pakistan, Sri Lanka, Syria, Trinidad and Tobago, Tunisia and Yemen) and 11 additional jurisdictions (Afghanistan, American Samoa, Guam, Iraq, Libya, Nigeria, Panama, Puerto Rico, Samoa, US Virgin Islands). These were a sub-set of 54 jurisdictions which had been risk assessed by the Commission, which were in turn a 'Priority 1' sub-set of 132 jurisdictions identified for review. The list met with hostility from the US Treasury and, reportedly, Saudi Arabia. The US Treasury noted "significant concerns" regarding the substance of the list and the "flawed process" by which it was developed, rejected the inclusion of America Samoa, Guam, Puerto Rico and the US Virgin Islands, and noted that it "does not expect US financial institutions to take...the list into account". Most recently, the list was unanimously rejected by the European Council, meaning that it will not pass into law in its current form, and the Commission must go back to the drawing board. Whilst these developments means that firms, for now, can continue to use the pre-existing list of HR3Cs, this remains an area to watch closely. The Commission is required to conduct this risk assessment, and its criteria for identifying HR3Cs set out in 4MLD (as amended) are different from those used by the FATF. There are also a host of Priority 2 countries which are scheduled to be assessed over a period up to 2025. Whilst this is plainly a political hot potato, it seems unlikely that the EU will simply stick with the FATF list indefinitely. The HR3C list will gain additional importance when member states implement the Fifth Money Laundering Directive3 ("5MLD") (the relevant provisions of which are due to be implemented in January 2020). 5MLD has not only added additional criteria for identifying countries as HR3Cs, but has also significantly expanded and made more granular the related EDD requirements. When the UK Government consults on the implementation of 5MLD (assuming it maintains its currently stated intention to do so), this will be an important area with which to engage. The practical impact of the new EDD provisions could assuming an expanded HR3C list be significant, and there are a number of ambiguities in the drafting of 5MLD, including notably the trigger for EDD (namely "business relationships and transactions involving [HR3Cs]" (emphasis added)). 3. Anonymous safety deposit boxes Moving from the general to the specific, the MLR 2017 were amended, with effect from 10 January 2019, by the Money Laundering and Terrorist Financing (Miscellaneous Amendments) Regulations 2018 ("Amending Regulation") to prohibit anonymous safety deposit boxes. Regulation 29 of the MLR 2017, which applies to credit and financial institutions only, previously prohibited such firms from setting up anonymous accounts or anonymous passbooks for any new or existing customers, and required firms to apply customer due diligence ("CDD") measures to any such accounts and passbooks in existence when the MLR 2017 came into force. The Amending Regulation extends this obligation to also cover anonymous safety-deposit boxes, and requires CDD to be conducted on all anonymous safety-deposit boxes existing on 10 January 2019, and in any event before they are used. Separately, the Amending Regulation also (a) specifies which decisions made by the FCA and HMRC under the MLR 2017 can be appealed (respectively to the Upper Tribunal or the tribunal), (b) amends the FCA's power to disclose information it obtains in its capacity as OPBAS (overseeing the professional body AML supervisors), and (c) in respect of Scotland only, extends certain disciplinary powers which the Law Society of Scotland has in respect of its accounts rules to also cover its AML rules. 3 Directive 2018/843/EU of the European Parliament and of the Council of 30th May 2018. 54786947 // 3 4. Money laundering risks in the E-money sector Also of sector-specific relevance is the FCA's thematic review, published in October 2018, on money laundering and terrorist financing risk in the e-money sector (TR 18/3) ("E-money review"). The E-money review summarises the FCA's findings from a programme of visits to 13 authorised e-money institutions and registered small e-money institutions. The FCA's focus was on these firms' AML/CTF controls, and it did not assess other services (such as money remittance4), other risks (such as fraud, which firms saw as a "key risk"), or activities outside the FCA's supervisory remit (such as pre-paid products denominated in a cryptocurrency). The majority of firms were found to have effective AML systems and controls, a positive culture and good awareness of financial crime obligations. There was generally a low risk appetite, and relatively few high risk customers. We summarise below the FCA's observations. These will be of interest, of course, to e-money institutions, but also to firms looking to on-board e-money institutions who want to better understand what 'good' looks like in this space (albeit the limited scope of the review means the findings are less valuable than they might otherwise have been). As ever with FCA thematic reviews, the findings are also of more general read-across value, although it is fair to say that the review does not tell us anything very novel about the FCA's expectations regarding AML/CTF compliance. The report includes observations in the following areas: Risk assessment most firms had a financial crime business-wide risk assessment covering ML, TF and fraud. In some firms this was only in draft and had not been approved or challenged at Board level; the FCA noted that reasonable challenge to both the methodology and content of risk assessments improved them and gave them more weight. In most cases, risk factors used in the assessment included: the use of cash to load products; potential spending patterns, including in high risk countries; identifying higher risk spending; and the risk of using Programme Managers ("PMs") to distribute products. Individual customer risk assessments were less defined in most firms. The FCA considered 'good practice' to include risk assessments for each product and programme, as well as the assessment of PMs and customers during on-boarding. Whilst all firms undertook PEP and sanctions screening, tools to calculate individual customer risk were not always used effectively. For example, one firm's poor practice involved risk scoring only corporate customers (and not retail customers) on an individual basis. The FCA also highlighted the importance of ensuring that, where risks are identified, appropriate controls are implemented. For example, risk assessments should enable high risk customers to be identified so that they can be subject to EDD and monitoring. Individual risk factors used included: product type, geographical location, loading and spending volumes. Governance some larger firms had management committees, whilst smaller firms had a more informal approach to escalation. The smaller firm approach was also found to be effective, but the FCA noted as poor practice at one firm a failure to record the outcome of discussions on AML issues, including responsibility for actions and deadlines. Culture and risk appetite there was a well-embedded financial crime prevention culture at most firms. Policies and procedures were generally adequate, approved by senior management, and up to date. 4 The report notes that the NRA's finding that money remittance is a high risk area than e-money post-dated the commencement of the thematic review. 54786947 // 4 CDD was generally performed electronically, with manual CDD as a back-up. Some firms used other electronic tools, such as geolocation software, to authenticate the customer's location, as additional CDD measures for non-face-to-face relationships. This also detected cases of multiple applications using the same IP address. Where PMs were used, in most cases CDD was outsourced, but sometimes the firm undertook elements of CDD itself. In any event, spot-checking the PM's work, by having access to records and systems and using on-side visits to acquire an understanding of their systems and controls, was noted as good practice. EDD there were very low numbers of PEP customers, and for most retail customers the only EDD trigger was based on spending thresholds. EDD was conducted up-front for some higher risk products (e.g. cross-border products and cash-loaded cards), and for most business customers (including sole traders). EDD on business customers included site visits and monitoring of customers' websites using specialist providers, EDD on PMs included interviews and assessment of their financial crim control frameworks. The FCA flagged the importance of staff procedures/guidance being clear about the steps to be taken and the types of information acceptable as evidence of source of wealth and source of funds. Transaction monitoring was effective at most firms and largely automated. Larger firms used a realtime rules-based application to generate alerts, to be followed up by a post-event transaction review. One large firm was noted (in a good practice example) to generate daily and weekly transaction monitoring reports including information on loads, spending, jurisdiction and loading method which were reviewed by Compliance. Monitoring parameters must, of course, be kept under review. Good practice may include the firm conducting its own monitoring of its PMs' underlying customers. Periodic reviews most firms carried out periodic reviews of high risk relationships, and mainly eventdriven reviews for low and medium risk relationships. Management information the majority of firms produced monthly or quarterly MI, although the quality of MI was varied. The FCA noted that senior management at firms with clear and effective channels for receiving information whether formal or informal were better engaged in AML issues. Outsourcing outsourcing to PMs worked well, with effective audits including dip-sampling files, and on-site visits (although one firm undertook remote testing). The selection of PMs to audit was based on factors including customer numbers, methods of loading, types of wallet spending and geographical location. Training all firms had induction and compulsory annual AML/CTF training, with a mix of e-learning and classroom-based training. Employees were assessed, and training tracked and reported in MI. Two firms also trained PMs. The FCA warned about training which was too narrow (for example, only covering the reporting of suspicious transactions). MLR 2017 compliance one of the changes affecting e-money issuers introduced by the MLR 2017 was a reduction in the financial thresholds at which certain exemptions from CDD apply; all firms but one had implemented these changes, and one was in the process of doing so. No formal supervisory tools were needed to remediate issues found during the thematic review. 5. Decision Notice: FCA imposes penalty on CEO for AML failings We segue now from firms performing adequately to one which has fared less well. Readers will recall that in October 2016 the FCA imposed a fine of 3,250,600 on Sonali Bank (UK) Limited ("SBUK") and 17,900 on its MLRO, Mr Smith (who was also prohibited from performing certain controlled functions). SBUK's identified failings were extensive and covered a wide range of areas including risk assessment, CDD, EDD, monitoring, the making of SARs etc; the case was of moderate interest only from the well-controlled firm's perspective. Mr Smith's position did however attract some sympathy: he was personally overworked and insufficiently resourced (in addition to his role as MLRO, he was required to act as compliance officer, to document strategies, act as data protection officer, arrange training, and undertake company secretarial work), and he made some improvement to SBUK's controls. Nonetheless, he failed to 54786947 // 5 sufficiently escalate concerns, and instead reported in his MLRO Reports that the firm's AML systems were working effectively. The FCA has now published a Decision Notice (the "Notice") in respect of Mr Prodhan, SBUK's CEO, imposing a fine of 76,490 for his oversight failures in respect of the MLRO and the bank's AML systems and controls. The Decision Notice has been referred by Mr Prodhan to the Upper Tribunal and a hearing is awaited. Pending the hearing of Mr Prodhan's case by the Tribunal, we set out below the salient features of the FCA's (contested) case. It is of particular interest in articulating the FCA's expectations of senior managers who delegate their responsibility for the firm's AML compliance (albeit under the pre-senior managers' regime), and is the first case of this type. In due course, the Tribunal's judgment will also be worthy of close review in this regard. Background The Notice covers the period June 2012 to March 2014, during which SBUK operated 6 branches in the UK, principally providing services to the UK-resident Bangladeshi community. It provided personal and corporate deposit accounts, money remittance and trade finance operations. In 2013, it also started to offer banking services to money services businesses ("MSBs") Mr Prodhan held the roles of CF1 (Director), CF3 (Chief Executive) and was the senior manager responsible for the establishment and maintenance of effective AML systems and controls (pursuant to SYSC 6.3.8R). Day to day operational responsibility for the bank's AML systems and controls lay with the MLRO, who reported to Mr Prodhan. In 2010, the FCA identified serious AML systems and controls failings as a result of its thematic work, and SBUK agreed to implement a remediation programme. The Notice describes a series of 'warning signs' in the 2012-2014 period, including a number of negative internal audit findings, which it asserts should have led Mr Prodhan to take further action albeit several of these were not AML-specific. For example, an internal audit report in 2012 highlighted a lack of evidence that SBUK had considered its conduct risks, identified deficiencies in its risk register, and found a disconnect between that risk register and the tasks in SBUK's compliance monitoring plan. Internal Audit's recommendation that a conduct risk appetite be established and the risk register updated were not acted upon. By July 2013, the Board appear to have recognised that there was a (non-AML specific) issue with staff understanding of the importance of regulatory compliance, and senior management were tasked with considering measures to address a lack of discipline in operational matters. Again, this does not appear to have resulted in concrete action. The FCA visited SBUK in January 2014 in its follow-up thematic work, identified serious AML failings, and required the appointment of a skilled person. This process identified further weaknesses in AML systems and controls, described in more detail in an Annex to the Notice and the previous Final Notice against SBUK. Mr Prodhan asserted that he delegated responsibility for SBUK's AML systems and controls to the MLRO, and on the basis of documents provided to him and conversations with senior colleagues, had no concerns about SBUK's systems and controls. The MLRO's annual reports asserted that SBUK's systems and controls were effective, and did not report (or did not accurately report) some Internal Audit findings. FCA findings The FCA found that the failings in SBUK's AML systems and controls were a direct consequence of insufficient oversight of AML systems and controls by the board of directors and senior management in general, and by Mr Prodhan in particular. Whilst they pre-dated Mr Prodhan's arrival at SBUK, they persisted during his tenure notwithstanding warning signs. The FCA found that Mr Prodhan breached Principle 6 (APER 2.1A.3P) (an approved person performing an accountable significant influence function must exercise due skill, care and diligence in maintaining the business of the firm for which he is responsible), in that he failed to appreciate the need to give sufficient focus to regulatory compliance and to take reasonable steps to ensure the adequacy of SBUK's systems and 54786947 // 6 controls to prevent financial crime. Mr Prodhan was also found to be knowingly concerned in SBUK's admitted breach of Principle 3 (the requirement for the firm to take reasonable steps to organise its affairs responsibly and effectively, with adequate risk management systems). The FCA's proposed fine is 76,490, being 30% (a factor based on the assessed seriousness of the conduct), multiplied by Mr Prodhan's income for the relevant period. At paragraph 4.10 of the Notice, the FCA summarises the steps it says Mr Prodhan should have taken in the role of establishing effective AML systems and controls at SBUK, and these points are set out in the lefthand column below. We also set out in the right-hand column a number of more granular corresponding points which appear in the body of the Notice, either as criticisms of steps Mr Prodhan did not take, or statements of steps that he should have taken. What the Notice says he What does the Notice suggest he could or should have done to should have done: implement this requirement? Ensured he was properly informed of risks affecting SBUK's business, particularly relating to AML Considered and assessed the measures in place to mitigate these risks, and whether they were working effectively Taken reasonable steps to ensure risks (including AML risks) had been identified and documented Accepted IA's recommendation to establish a conduct risk appetite Accepted IA's recommendation to record conduct risks within an updated risks register Notwithstanding delegation to the MLRO, taken reasonable steps to ensure he had at all times an adequate understanding of AML risks and how they were being addressed, including by: Holding sufficiently regular meetings with the MLRO Contributing to meetings at which AML issues were considered Providing effective challenge to reports from the MLRO. Ensured reports to the Taken reasonable steps to ensure the board was sufficiently sighted on board were complete and accurate and informed the board of AML risks SBUK's risks with "sufficiently clear" information to ensure they had adequate oversight of AML risks, and were able to assess how they were being addressed. Taken AML risk into account in strategic planning. Specifically, taken Provided appropriate AML risk into account when considering the expansion of the business to challenge to the reports of service MSBs. the MLRO Identified inadequacies in the MLRO's monthly MI: Identified that this failed to contain analysis of the effectiveness of systems and controls Identified that this failed to highlight particular risks or issues for the immediate attention of management Provided challenge to the MLRO reports, and in particular challenge to the assertion that the AML controls were effective Identified inadequacies in the MLRO Annual Report: The report provided description of systems in place but no adequate assessment of effectiveness The report omitted or mischaracterised important findings of Internal Audit (including eg. criticism of transaction monitoring processes), of which Mr Prodhan was aware 54786947 // 7 What the Notice says he should have done: What does the Notice suggest he could or should have done to implement this requirement? Followed up on 'warning signs' identified by Internal Audit (findings were discussed at Board level, but no adequate measures were taken to address the concerns noted) Followed up on 'warning signs' presented by very low levels of SARs (described by the MLRO as "surprising", with an identical and unsatisfactory rationale suggested by the MLRO each year). Taken steps to ensure the low level of SARs was investigated or that an explanation was provided Challenged the MLRO on his explanation. Devoted appropriate oversight and line management support to the MLRO Held sufficiently regular meetings with the MLRO Conducted meaningful appraisals of the MLRO Followed up Internal Audit findings regarding the level of transaction monitoring by the MLRO which suggested insufficient resourcing Considered the impact of new business on the staffing problem taking on the new MSB business exacerbated the monitoring volumes Actioned staffing requests in a timely manner Mr Prodhan agreed the MLRO's request for new resource, but the MLRO took several months to draft the job description, and the whole recruitment process took a year. Considered AML risks Ensured SBUK's business plan recorded consideration of AML risks when making decisions regarding resourcing, appointment/dismissal of Ensured adequate consideration of AML risk in the provision of new services, including both (a) the additional risks that might result, and (b) additional resources that might be needed to manage those risks. key personnel, and before (Specifically, insufficient consideration was given to this in the context of taking on new business commencing banking services to MSBs). Taken reasonable steps to ensure the importance of robust AML systems and controls was clearly and unambiguously articulated throughout SBUK Taken reasonable steps (at least following the Board's instruction to consider measures to introduce cultural change) to ensure that appropriate focus was paid to regulatory compliance Impressed on operational staff the value of AML systems and controls Ensured other members of senior management viewed AML requirements as part of their responsibility Taken reasonable steps to ensure branch oversight. Branches should have been subject to appropriate management oversight with clear reporting lines. AML issues should have been considered as part of the line management process The MLRO Report recommended a programme of branch visits in three successive years, but these were not implemented (to Mr Prodhan's knowledge) in light of MLRO resourcing constraints. 54786947 // 8 Comment Firms and in particular individuals with oversight responsibility for AML systems and controls will wish to review the FCA's assessment of the steps Mr Prodhan should have taken, and consider whether they are taking comparable steps in their oversight role, and whether there is appropriate evidence of this. How, for example, is senior management's consideration of AML risk and challenge to the MLRO documented5? The FCA's focus on wider conduct risk issues is also of interest. The FCA found that Mr Prodhan did not take reasonable steps to address the "cultural issues" regarding employees' attitudes to regulatory compliance. This failure impacted on SBUK's AML systems and controls: the importance of complying with AML requirements was neither sufficiently understood nor valued throughout SBUK. This underlines the importance of senior managers who have AML compliance responsibility being engaged in wider conduct initiatives. However, the emphasis on these broader failings may have been, in part, necessitated by some facts which run against the FCA's case. For example, the Internal Audit gradings of SBUK's AML systems and controls in their 2012 and 2013 reports in respect of AML were (2) (moderate) rather than significant (3) or very significant (4). By contrast, the overall audit grade in 2012 (for example) was (4). Thus, it appears Mr Prodhan was expected to pick up AML warning signs when Internal Audit considered there to be a moderate (but not significant) level of risk in this specific area, the MLRO had reported that the systems were operating adequately (and indeed was later fined for failing to properly escalate his concerns), and Mr Prodhan himself was not experienced in relation to AML. One can see why Mr Prodhan might seek to challenge the Notice. In response to his representations, the FCA has asserted that, to oversee the work of the MLRO effectively, Mr Prodhan would have needed a general understanding of systems and controls, as well as of areas of particular concern. Accepting the MLRO's assurances without challenge and relying on them to satisfy himself of the adequacy of systems is said to have rendered oversight ineffective. There are a number of other points of interest raised in Mr Prodhan's representations, and as noted above the final outcome of this case will be one to watch in due course 6. Money laundering supervision in the UK Proposals relating to the EBA In September 2018 the European Commission published proposals to strengthen the supervision of EU financial institutions to better address money laundering and terrorist financing threats. These proposals stemmed from concerns, particularly as a result of the Danske Bank affair, that AML/CTF rules were not always effectively supervised and enforced across the EU, and that there were weaknesses in cooperation and information-sharing at domestic level, between prudential and AML authorities, and between member states. The proposals build on some much higher-level provisions introduced into 4MLD by 5MLD, at new Articles 57a and 57b. These address certain confidentiality issues relating to data sharing and, inter alia, require Member States to ensure that competent authorities supervising credit and financial institutions cooperate with each other to the greatest extent possible. They also require member states not to prohibit or unreasonably restrict the exchange of information or cooperation between competent authorities for AML supervision purposes. There is little specificity, however, as to how and when that cooperation will occur in practice. The proposed changes include: empowering the EBA to request national supervisors to take action; allowing it to step in as a last resort to address decisions directly to firms; empowering it to set 'common standards', to periodically review steps taken by national supervisory authorities and risk assessments; fostering the exchange of information on AML risks and trends; facilitating cooperation with non-EU countries in cross- 5 On a related note, see the comments on Governance in the summary of the FCA's e-money thematic review earlier in this briefing. 54786947 // 9 border cases; and establishing a new permanent AML committee within the EBA, bringing together national AML supervisors. The implications of the Commission's new proposals for the UK remain unclear, both because the legislative text remains subject to heavy negotiation and because of wider Brexit uncertainty: the House of Lords European Scrutiny Committee flagged concerns in its review of the proposals in October 2018 that the EBA would gain new powers to direct the PRA in circumstances when the UK (on exit) would not be permanently represented in the EBA governance structures. More broadly, the Commission's proposals are considered controversial insofar as they represent a shift of responsibility and power for supervision from member states to the EU. It is not therefore expected that these proposals will be adopted in the near future. Proposals relating to the ESAs Somewhat less contentiously, in November 2018 the European Supervisory Authorities ("ESAs") published a Consultation Paper on draft joint guidelines on cooperation and information exchange for the purposes of 4MLD between competent authorities supervising credit and financial institutions6. In light of the new 5MLD provisions referred to above, this seeks to clarify the ways in which supervisory authorities will cooperate, and to create a framework for supervisors to use to support effective AML/CTF supervision for firms that operate on a cross-border basis. The draft Guidelines envisage the introduction of AML/CTF "colleges", and set out rules to govern those colleges' establishment and operation. Broadly speaking, supervisors will be required to undertake an exercise of 'mapping' firms under their supervision, and colleges will be required where three or more competent authorities from different member states are responsible for supervising the firm. The colleges will provide a forum for cooperation and information exchange. The lead supervisor (i.e. the supervisor in the member state in which the firm has its head office) will be responsible for establishing the college and deciding, in consultation, how frequently college meetings will be held and their format: physical meetings at least once a year are required for high risk firms. College meetings can also be held on an ad hoc basis. Cooperation will cover areas such as information exchange, which may cover a range of specified areas, joint inspections, requests for mutual assistance, the potential for use of non-public-information on the firm, and coordination of supervisory action. Where firms operate only in two member states, the guidelines set out a process for the bilateral exchange of information between competent authorities. The guidelines also emphasise the need for information exchange between AML and prudential supervisors. Whilst one can anticipate that, in practice, there will be some challenges in the implementation of these proposals, the general thrust of increased consistency and coordination between supervisors seems broadly sensible. In the absence of guidelines, some level of bilateral cooperation would of course subsist, but the consultation notes that challenges to this have transpired to include: (in some cases) lack of interest or prioritisation on the part of supervisors, competent authorities being unable to identify their counterparts (!), and actual or perceived legal obstacles to cooperation. The ESAs also considered whether, instead of these new structures, AML could instead feature as a (greater) element in colleges set up for prudential supervision, but noted concerns that such colleges only covered banking groups (and do not cover all banks), that AML sub-structures in some prudential colleges have met "mixed results", and that discussions in such colleges often occur only after risk has crystallised, and between non-specialists. The consultation closed on 8 February 2019 and the consultation response is therefore awaited. 6 The scope of both terms being as defined in 4MLD. 54786947 // 10 7. FATF mutual evaluation of the UK As readers will be aware, one driver in the UK's recent focus on AML regulation, supervision and enforcement has been the FATF mutual evaluation of the UK, which conducted the onsite element of its work in March 2018. The final report ("FATF Report"), which assesses both the 'technical compliance' of the UK's AML/CTF rules with the FATF Recommendations, and their 'effectiveness', was published in December 2018, and was a positive result for the UK representing a significant improvement from our last evaluation. The UK was praised in particular for investigation and prosecution of money laundering and terrorist financing, confiscation, financial sanctions implementation, protecting the non-profit sector from terrorist abuse, and cooperating domestically and internationally. However, the FATF considered that major improvements were needed to strengthen supervision and implementation of preventative measures, and to ensure that financial intelligence is fully exploited. It can be anticipated that the UK will seek in due course to address areas highlighted by the FATF as falling short of its standards. The following two areas were assessed by FATF as only Partially Compliant from a technical compliance perspective: FATF rated the UK's compliance with Recommendation 13 (correspondent banking) as only Partially Compliant, given that the UK, in line with 4MLD, requires EDD to be conducted only on correspondent relationships with non-EEA respondents (and otherwise on a risk-based approach), whereas the FATF requirement applies to all cross-border relationships. It appears that, having bedded down to some extent the significant changes brought by 4MLD, this area may therefore be subject to further revision (and will in any event be changed in the event of a 'hard Brexit' as to which see item 13 below). In relation to the UK Financial Intelligence Unit ("FIU", housed in the NCA), FATF noted some concerns regarding its operational effectiveness of the FIU (in terms of independence from the NCA in defining its role and priorities), a limited ability of the FIU to conduct operational and strategic analysis, and a lack of clarity (pending the exercise of the new 'further information order' provisions introduced by the Criminal Finances Act 2017) on its ability to seek all the additional information it requires from reporting entities. The UK was therefore also assessed as Partially Compliant for Recommendation 29 (Financial Intelligence Units). This is less relevant to firms from a compliance perspective but, to the extent that the FATF findings drive better resourcing of the NCA and continued emphasis on SAR reform, that will no doubt be welcome. A number of other findings interest stemmed from 'effectiveness' issues. These included (but were not limited to): A recommendation that the FCA should consider how to ensure appropriate intensity of supervision for all the different categories of its supervisory population, from low risk to high risk. FATF noted that the supervised population includes over 19,000 firms but, outside 170 firms (the 14 largest firms covered by SAMLP7 and an additional 156 smaller firms assessed as high risk), these are not subject to a systematic or proactive supervision programme. Thus, there are significant numbers of firms undertaking high and medium risk activities falling outside its regular supervisory attention. FATF welcomed the introduction of REP-CRIM, but queried whether it should be extended (perhaps less frequently than annually) to a wider spectrum of firms. Similar comments were made in respect of HMRC's coverage of its supervised population. The need for a "significant overhaul" of the SARs regime. This feeds into the review already underway and discussed below (although the changes proposed by the Law Commission do not appear sufficiently substantive to address FATF's concerns). Issues raised included the perceived "under-reporting" by trust and company service providers, accountants and lawyers, large numbers of "poor quality" SARs, and a much less developed understanding of risks among Designated Non-Financial Businesses and Professions ("DNFBPs"). It was noted that the introduction of OBPAS is intended to address some issues in the consistency of supervision 7 The Systematic Anti-Money Laundering Programme. 54786947 // 11 The lack of resources (both human and IT) and analytical capability at the NCA was flagged, and the FATF called for substantial investment as a priority so as to enable the FIU to fully exploit the intelligence reported to it. The need to improve the quality of information on the Persons of Significant Control ("PSC") register, maintained by Companies House, was also identified. Regrettably, the FATF's suggested priority actions here do not include requiring Companies House to verify the reported information, but rather that firms should identify discrepancies identified during CDD (as will be required in due course by 5MLD), and that Companies House flag such discrepancies in the register. (Certain other steps, such as sanctions screening by Companies House, are also proposed). Whilst lengthy, FATF's full report is also of interest for those looking for information and statistics on supervision and enforcement in the UK. 8. FATF guidance on a risk-based approach to the securities sector In October 2018, FATF published updated Risk-Based Approach Guidance for the Securities Sector ("Guidance"). The Guidance is directed at both countries and their AML/CTF supervisors and FIUs, and private sector regulated firms. The Guidance discusses the role of different participants in, and risks faced by, the securities sector. In the section of the Guidance directed at firms (Section II), it outlines how firms can assess risk, provides examples of relevant risk factors (in the assessment of customer risk, transaction risk, distribution channel risk, and so on), and gives guidance on a risk-based approach to CDD, EDD and SDD, correspondent relationships, monitoring, and other relevant aspects of internal controls, including emphasis on the role of senior management. The Guidance is, of course, not legally binding, although it may inform or influence the development of regulations and/or supervisory approaches in due course. It is also fair to say that the extremely broad range of firms and activities which FATF has sought to characterise as "securities providers" (spanning many elements of the retail and wholesale sectors), and the breadth of other important concepts such as "intermediaries", means that the Guidance misses the opportunity to provide guidance which is tailored to the quite different risks within the securities sector. Nonetheless, there is some useful discussion in the Guidance of risks, risk factors, and mitigating steps firms can take. Accordingly, it is certainly worth review by firms, in particular to consider whether there are additional risks, ideas and controls that could usefully be fed into existing AML/CTF programmes. For those looking to prioritise, pages 20-40 are the most relevant of a quite dense 62 page document. 9. Other FATF developments of interest: virtual assets and DNFBPs Separately, there are a number of FATF open consultations of some interest. Virtual assets First, FATF is consulting on additional measures to manage the risk posed by virtual currencies/assets. In October 2018, FATF amended Recommendation 15 (which requires countries and financial institutions to assess and manage risks relating to new technologies), to add the following new obligation: "to manage and mitigate the risks emerging from virtual assets, countries should ensure that virtual asset service providers are regulated for AML/CFT purposes, and licensed or registered and subject to effective systems for monitoring and ensuring compliance with the relevant measures called for in the FATF Recommendation". 54786947 // 12 FATF also added to its Glossary definitions of "virtual assets"8 and "virtual asset service providers"9 ("VASPs"). This new approach goes significantly further than FATF's 2015 guidance, which suggested a focus by national authorities on activities whereby convertible virtual currencies intersect with fiat currencies10. The October 2018 developments embed the extended new requirements in the Recommendations (rather than guidance), and introduce new definitions of virtual asset service providers which would, for example, cover certain virtual-virtual exchange activities and the safekeeping, administration, and services relating to the issuance and sale of virtual assets. These categories of business appear to be wider than those which 5MLD will, in due course, require to be regulated in the EU11. In February 2019, FATF announced that the text of a new Interpretive Note to supplement this Recommendation has been finalised, and will be formally adopted as part of the FATF Standards in June 2019. The Note is directed at countries, and seeks to provide further clarification on the requirements for registration of VASPs, including the jurisdiction in which they should register, and the obligations to which they should be subject. Paragraph 7(b) of the Interpretive Note has not yet been finalised, and is being publicly consulted upon, for final adoption in June 2019. Paragraph 7(b) relates to the application of Recommendation 16 to VASPs, namely how VASPS should obtain and hold originator and beneficiary information on virtual asset transfers. Comments from private sector experts on the new requirements are invited. DNFBPs the risk based approach On 25 February 2019, FATF also opened a public consultation on three draft Risk-Based Approach documents, for Legal Professionals, Accountants and Trust and Company Service Providers. The consultation is open until 8 April 2019, and FATF expects to adopt the final version of the documents at its June 2019 plenary meeting. 10. Reform to the UK's suspicious activity reporting regime Law Commission consultation From July to October 2018, the Law Commission consulted on proposals to reform the suspicious activity reporting ("SAR") regime. The response to that consultation is expected in 2019. The Law Commission's work focussed on limited aspects of the Proceeds of Crime Act 2002 ("POCA") (primarily the consent12 regime and its interaction with the 'failure to report' offences), and sought ideas for wider reform. The Law Commission's response to that consultation is now awaited. The Law Commission's proposals even if pursued will not lead to radical reform of the UK's SAR system. Notwithstanding that it identified that (on the limited available evidence) the vast majority of consent SARs did not lead to restraint or seizure of assets, and that the UK FIU receives significantly higher numbers of SARs than other EU Member States, the Law Commission failed to propose any fundamental changes to address the acknowledged inefficiencies of the consent regime. Instead, much of the consultation paper was devoted to a proposal directed at reducing the number of SARs by introducing a new defence whereby 8 "A virtual asset is a digital representation of currency that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations". 9 "Virtual asset service providers means any natural or legal person who is not covered elsewhere under the Recommendations, and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person: (i) exchange between virtual assets and fiat currencies; (ii) exchange between one or more forms of virtual assets; (iii) transfer of virtual assets; (iv) safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and (v) participation in and provision of financial services relating to an issuer's offer and/or sale of a virtual asset". 10 'Guidance for a Risk-Based Approach to Virtual Currencies', June 2015. 11 "Providers of currency exchange services between virtual currencies and fiat currencies", and "custodian wallet providers" (as defined). 12 Using the terminology in POCA. 'Appropriate consent' is referred to by the NCA as a Defence Against Money Laundering or "DAML". 54786947 // 13 an individual in the regulated sector who is subjectively suspicious, but has no reasonable grounds to suspect that property is criminal property, would not in respect of dealings with that property commit a money laundering offence, and would not therefore need to seek 'appropriate consent'. However, it is not at all clear that this would in fact reduce SAR numbers, and there are a number of problems this change would present for reporters which consultation responses will have identified. A number of other proposals were made, within the scheme of the existing legislation, which have merit and would, if implemented, address some genuine difficulties. These include an important proposal to address problems arising from fungibility and the mixing of funds in accounts, and a proposal to provide guidance on 'reasonable excuse' with a view to eliminating various categories of reports with limited or no intelligence value. We were closely involved in helping clients respond to the consultation, and if you would like any further information pending the Law Commission's response, please do get in touch with any of the contacts on this briefing. In the interim, the Law Commission's response is awaited with interest. SARs reform programme In parallel with the Law Commission's work, the SARs reform programme, which follows a commitment made by the government in its Action Plan for Anti-Money Laundering and Counter-Terrorist Financing in April 2016 to reform the SARs regime, has been underway. The SARs reform programme draws together a number of government agencies, law enforcement, regulators and private sector representatives, with a view to, amongst other matters, improving the quality and (where relevant) quantity of SAR reporting, facilitate feedback, and create efficiencies in the regime. The SAR reform programme also includes work on the potential replacement of SAROnline, a topic which FATF has now identified as a priority. No concrete reform proposals from this work have been made publicly available at this stage. 11. The scale of money laundering in the UK RUSI (the Royal United Services Institute) published a briefing paper in February 2019, 'The Scale of Money Laundering in the UK: Too Big to Measure?'. The paper is based on a workshop seeking to consider how policymakers and researchers could gain a better understanding of the scale of UK money laundering. The paper has some suggestions for future steps and work to explore different methodologies of measuring money laundering, which it is to be hoped will be taken forward. In the meantime, one main takeaway is that the paper underlines just how poor our current understanding is of the scale of money laundering activity. As it notes, the government's 2018 Serious and Organised Crime Strategy assesses that there is a realistic possibility that the scale of money laundering impacting the UK annually is in the "tens of billions of pounds", whilst the same year's NCA Strategic Assessment noted that there was no reliable estimate but put the possible amount at "hundreds of billions of pounds". Indeed, the first item for discussion at the workshops was what exactly it was that stakeholders were seeking to measure and counteract. Estimates in this area will of course always be challenging and imprecise. However, particularly at a time when the Government will be making important decisions on the SAR reform process, any steps that might provide a better evidential basis to support-decision making, and focus on the objectives of the regime, must be welcome. 12. Amendments to the Financial Crime Guide In December 2018, the FCA published a response to Guidance Consultation GC 18/1 (Proposed Guidance on financial systems and controls: insider dealing and market manipulation), which had proposed various revisions to the Financial Crime Guide ("FCG")13. The FCA published a 'Summary of Feedback Received' ("Summary") and Finalised Guidance FG 18/5. 13 Renamed as a result of this consultation. 54786947 // 14 The most significant change in FG18/5 is the introduction of a new chapter in FCG addressing systems and controls to counter the risk of insider dealing and (criminal) market manipulation. Commentary on this new chapter is outside the scope of this (already quite long) briefing. Instead, we summarise below some other AML-specific updates which were made to FCG at the same time, principally to address the introduction of the MLR 2017. SM&CR: senior manager responsible for compliance with the MLR 2017 Regulation 21(1)(a) of the MLR 2017 requires that, where appropriate to the size and nature of its business, firms must appoint an individual who is a member of its board of directors (or equivalent management body), or of its senior management, as the officer responsible for compliance with the regulations, and reg.21(3) requires the appointment of a nominated officer. Regulation 21(4) requires the firm to inform their supervisory authority of the identity of these individual within 14 days of appointment. The FCA has added guidance to FCG that: "as SYSC 6.3.9R and SYSC 3.2.6IR also require firms subject to those provisions to have an MLRO, the FCA expects that this individual can be the same individual appointed under Regulation 21(1)(a) and/or 21(3) of the Money Laundering Regulations and so firms do not need to make a separate notification to the FCA". The Summary confirms that this update has been included "to clarify a decision taken by the FCA, and disseminated to the industry via trade bodies. If firms have a Money Laundering Reporting Office [sic] (MLRO CF11/SMF 17 function) that could satisfy the requirement in Regulation 21(1)(a) of the MLRs....We have included a link to FCA's guidance on the SM&CR within the Guide, which will future proof the guide". Updates for MLR 2017 There are a number of revisions to FCG to address the introduction of the MLR 2017, including for example the sections on EDD, reliance, and the definition of SDD. The FCA has also added reference to its PEPs guidance (FG 17/6) and (by contrast to the original draft) made clearer that this guidance is non-binding. (Firms should, however, note the separate revisions to the guidance on REP-CRIM14, setting out the FCA's expectation that PEP statistics will be reported in line with the FCA's PEPs guidance). Section 3.2.13 has also been updated for the new Funds Transfer Regulation ("FTR")15. Thankfully, the FCA has responded to feedback provided in consultation responses, and made a number of changes to the originally proposed revisions to FCG, so that they now track (and do not expand) firms' obligations under the MLR 2017. If firms have implemented the MLR 2017, these changes should not therefore require further work to be undertaken. FCTR: Thematic Reviews Less helpfully, the FCA has confirmed in the Summary that it does not intend to review whether the historic thematic reviews summarised in FCTR (formerly Part 2 of FC) remain current in light of the MLR 2017 and other regulatory changes. Instead, at FTCR 1.1.4 the FCA has included a statement that "Firms should consider whether information in historic thematic reviews in FCTR relating to the Money Laundering Regulations 2007 remain relevant for the Money Laundering Regulations". FCTR must therefore be treated with an element of caution insofar as it relates to AML requirements. In terms of examples of good and bad practice, however, given that the relevant regulations have generally become more rather than less onerous, what was bad practice can still be expected to be so. Failure to prevent the facilitation of tax evasion and Inducements The FCA has indicated that it does not intend to insert a new chapter in FCG to cover the new 'corporate criminal offences' of failure to prevent the facilitation of tax evasion. The FCA stated that, whilst tax evasion 14 These changes were made in early 2018 in Handbook Notice 52: https://www.fca.org.uk/publication/handbook/handbook-notice52.pdf 15 Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds. 54786947 // 15 is a predicate offence for money laundering purposes, this is "more a matter for HMRC as the tax authority". The FCA has, however, included links to the HMRC and UK Finance guidance on 'reasonable procedures'. The FCA also confirmed that it does not plan to reference broader work on inducements in the bribery and corruption chapter the findings from the inducements work are said to be "specific to those sectors that were probed" such that the existing guidance remains current. Of course, those in affected sectors will need to have regard to relevant rules and guidance, as well as FCG. Status of FCG under the MLR 2017 A somewhat more esoteric point is that the status of FCG for MLR 2017 purposes. Readers will recall that, pursuant to reg.76(6)(b) and reg.86(2)(b), in determining whether a breach of the MLR 2017 has occurred in the context of civil enforcement or criminal proceedings, the supervisory authority/court must take into account whether the respondent/defendant followed "any relevant guidance" which was (a) issued by the FCA, or (b) issued by another appropriate body and approved by HM Treasury. Limb (b) includes, of course, the JMLSG Guidance. The draft revisions in GC 18/1 had described FCG as relevant guidance which must be taken into account. The finalised guidance now states that it "may" be relevant guidance. To some extent this may be a distinction without a difference: in practice it seems unlikely that any relevant provisions in FCG would be ignored in the assessment of breach (particularly if it is the FCA assessing whether a breach has occurred). Further, given that the MLR 2017 is drafted such that both (unspecified) FCA guidance and the JMLSG Guidance can be "relevant guidance", a potential tension between the two (to the extent the two pieces of guidance diverge) is inevitable. Nonetheless, the revision provides some additional flexibility in addressing this issue, should that be necessary, and is therefore welcome. 13. Brexit Finally, no briefing nowadays would be complete without some mention of Brexit. The Money Laundering and Transfer of Funds (Information) (Amendment) (EU Exit) Regulations 2019 ("ML Brexit Regulations") have now been passed. These will come into effect (subject to alternative transitional arrangements being negotiated) on "exit day". This could be as soon as 29th March 2019 in the event of a no-deal Brexit, or at the end of a transition period of agreed withdrawal, or at the end of any extension of time before the UK leaves the EU, depending on the circumstances. The ML Brexit Regulations make minimal amendments to the MLR 2017 to address the status of the UK as a third country. From a compliance perspective, notable changes include the following: EU-level guidance There will be no requirement for firms to have regard to the ESA's risk factors guidance in determining what EDD or SDD steps to take under regs.33 or 37, or for Payment Services Providers ("PSPs") to take account of the ESA's guidance under Article 25 of the FTRs. Similarly, there will be no requirement for the Home Office/Treasury, or supervisory authorities, to have regard to Commission reports or the ESA's guidelines in their risk assessments (regs.16 and 17), for supervisory authorities to have regard either to the ESA's guidelines on risk-based supervision (reg.46(3)) or to various EU-level information sources (reg. 47), or for the courts/regulator to have regard to the ESA's guidance in assessing whether there has been a breach of the MLR 2017 (regs.76, 86). Group-wide compliance The requirement for "relevant parent entities" to ensure that branches and subsidiaries in the EEA follow the law of that EEA state implementing 4MLD will be removed. The remaining obligations on relevant parent entities will be (a) to establish and maintain certain group-wide policies, procedures and controls, and (b) to ensure that measures equivalent to the MLR 2017 are adopted in branches and subsidiaries in third countries which do not impose requirements as strict as those of the UK (reg.20). (Of course, to the extent institutions have branches or subsidiaries in the EEA, if the 54786947 // 16 relevant EEA member state has implemented 4MLD, then the branches/subsidiaries will continue to be required to comply with local law). Pre-Brexit, credit and financial institutions in the EEA will be subject to any Regulatory Technical Standards ("RTSs") issued under Article 45(6) of 4MLD, specifying the steps to be taken where a third country's law does not permit the implementation of relevant group-wide policies and procedures. These RTSs16 are currently in draft and are working their way through the EU legislative process, having recently been referred by the European Parliament to a Joint Committee. The ML Brexit Regulations will add a power for the FCA to instead make its own technical standards on this subject for institutions operating in the UK. Central contact points The ML Brexit Regulations will delete the requirement for e-money issuers or PSPs, established in the UK other than by way of a branch and with their head office in an EEA state other than the UK, to appoint a person to act as a central contact point for AML/CTF purposes. SDD, EDD and reliance The 'customer risk factors' which fall to be considered in assessing eligibility for SDD will include whether the customer is a credit/financial institution in a jurisdiction which is 4MLD equivalent (and supervised for compliance), rather than a credit/financial institution in the EEA (and supervised for compliance) (reg.37(3)(a)). A related expansion will be made to the 'pooled client account' provisions (reg.37(5) and (6)), which will apply to accounts held for regulated firms in equivalent jurisdictions, rather than regulated firms in EEA jurisdictions only. This is a welcome change, and makes sense from an AML risk perspective. In one respect the SDD risk factors will narrow. The 'product risk factor' directed at low risk financial inclusion products will be limited to products aimed at increasing access for financial inclusion purposes in the UK, rather than across the EEA (reg.37(3)(b)(iv)). As to EDD, there will be a change to the scope of the EDD requirements in respect of correspondent relationships. One of the triggers (under reg.34) for EDD is that a credit or financial institution has or proposes to have a correspondent relationship with another such institution in a "third country". Since the ML Brexit Regulations redefine a 'third country' from "a state other than the EEA" to "a state other than the UK", it follows that the correspondent relationships with non-UK credit/financial institutions will trigger the prescribed EDD steps. This also aligns with the FATF recommendations noted at item 7 above. Another EDD point relates to the current exemption from the requirement to conduct EDD on customers established in an HR3C if the customer is a branch/subsidiary of an EEA headquartered firm and (a) the EEA firm is in a member state which has implemented 4MLD, and is supervised for compliance, and (b) the customer is subject to group-wide policies and procedures. This exemption will be extended to branches/subsidiaries of firms headquartered in any third country, providing the 'headquarters' firm is subject to equivalent requirements to 4MLD and supervised for compliance and, as before, the customer is subject to group-wide policies and procedures. This is in principle a welcome change. The drafting is, however, sub-optimal, as there is a requirement that the groupwide policies and procedures must flow from requirements equivalent to Article 45 of 4MLD (i.e. the local law of the 'headquarters' firm must require it to have group-wide policies and procedures, which may not always be the case). A similar amendment has been made in regulation 39 in relation to 'reliance' on firms in HR3Cs which are branches/subsidiaries of firms headquartered in equivalently-regulated countries and required to apply group-wide policies and procedures. 16 See our previous e-bulletin on this subject at: https://hsfnotes.com/fsrandcorpcrime/2018/01/29/group-wide-aml-ctf-compliance-newobligations-for-firms-with-overseas-branches-and-subsidiaries/ 54786947 // 17 In terms of which countries are HR3Cs for EDD purposes, interestingly the UK has chosen to retain use of the EU's HR3C list (discussed above). Whether that will be the case in the long-term, particularly if there is further controversy over the list, remains to be seen. Another key area of financial crime compliance impacted by Brexit is the UK's sanctions regime, and we will publish a separate briefing on this subject. 14. Conclusion Financial crime professionals will recall 2017 and 2018 as exceptionally busy years, with a series of complex regulatory developments, consultations and guidance with which to grapple. It does not appear that 2019 will hold much respite. There will be at least more SARs reform, a consultation on 5MLD implementation, Brexit complications, and a series of sanctions developments upcoming. Please feel free to contact any of your usual HSF contacts with any further questions in relation to these developments. 15. Contacts Susannah Cogman, Partner T +44 20 7466 2580 Susannah.Cogman@hsf.com Daniel Hudson, Partner T +44 20 7466 2470 Daniel.Hudson@hsf.com Elizabeth Head, Senior Associate T +44 20 7466 6443 Elizabeth.Head@hsf.com Kathryn Boyd, Senior Associate T +44 20 7466 2462 Kathryn.Boyd@hsf.com David Knott, Senior Associate T +44 20 7466 2438 David.Knott@hsf.com If you would like to receive more copies of this briefing, or would like to receive Herbert Smith Freehills briefings from other practice areas, or would like to be taken off the distribution lists for such briefings, please email firstname.lastname@example.org. Herbert Smith Freehills LLP 2019 The contents of this publication, current at the date of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on the information provided herein. 54786947 // 18