On 10 January 2020, the Fifth Money Laundering Directive (EU) 2018/843 (5MLD) came into force. On 20 December 2019, the UK Government laid before Parliament its implementing legislation, the Money Laundering and Terrorist Financing (Amendment) Regulations 2019 (MLR 2019), which amends the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017, and together with MLR 2019, the MLRs).

5MLD expands the scope of businesses to which the UK’s anti-money laundering regime applies (for example, to tax advisers, letting agents and crypto-asset exchanges), as well as amending a number of the substantive requirements. Many businesses will have made amendments in readiness for the anticipated changes. Nonetheless, with financial crime prevention at the top of the agenda for UK, European and international regulators, it is important to ensure that your policies and procedures are fully compliant with the finer details contained in the recently published MLRs.

This note sets out a brief summary of the changes for relevant persons under MLR 2019.

  1. Relevant persons
    1. MLR 2019 extends the list of relevant persons falling within scope of the MLRs to include:
      1. those providing material aid or assistance on tax matters;
      2. letting agents;
      3. art market participants; and
      4. cryptoasset exchange providers and custodian wallet providers.1
  2. Policies
    1. MLR 2017 requires relevant parent companies to establish, maintain and flow down to all of its subsidiaries (whether incorporated in the UK or elsewhere) group-level policies, controls and procedures on:
      1. data protection; and
      2. sharing information for the purposes of preventing money laundering with other members of the group.
    2. MLR 2019 amends this second bullet to include policies "on the sharing of information about customers, customer accounts and transactions".2 The other record-keeping and review requirements contained in MLR 2017 will also apply to these policies.
  3. Training
    1. If a relevant person uses agents to help with preventing, identifying or mitigating the risk of money laundering in its business, it must ensure that these agents:
      1. are made aware of the law on AML and data protection; and
      2. receive regular AML training.3
  4. E-Money thresholds for customer due diligence (CDD)
    1. Under MLR 2017, certain low-risk e-money products were exempted from CDD requirements. MLR 2019 reduces these thresholds so that the exemption only applies where all of the following conditions are met:
      1. the maximum amount that can be stored electronically is EUR 150 (previously EUR 250);
      2. the payment instrument used in connection with the electronic money is not reloadable or has a maximum limit on monthly payments of EUR 150, which can only be used in the UK (previously EUR 250);
      3. the payment instrument is used exclusively to purchase goods and services;
      4. anonymous e-money is not used to fund the payment instrument; and
      5. any redemptions in cash, or remote payment transactions, do not exceed EUR 50 per transaction (previously EUR 100).4
    2. MLR 2019 also prohibits financial institutions from accepting payments which are carried out using anonymous prepaid cards issued in non-EU countries unless those non-EU cards meet requirements that are equivalent to the EU's AML rules for those products.5 This requirement comes into force on 10 July 2020.
  5. CDD
    1. MLR 2019 clarifies that relevant persons may use electronic identification to complete CDD, providing that the chosen means is secure from fraud and misuse and provides an appropriate level of assurance that the person claiming their identity is in fact that person.6
    2. MLR 2019 adds another situation in which relevant persons must apply CDD measures: where the relevant person has any legal duty in the course of the calendar year to contact an existing customer for the purpose of reviewing any information which:
      1. is relevant to the risk assessment for that customer; and
      2. relates to the beneficial ownership of the customer, including information which enables the relevant person to understand the ownership or control structure of a legal person, trust, foundation or similar arrangement who is the beneficial owner of the customer.7
    3. The other changes to the CDD regime are also focused on beneficial ownership. Below are some examples.
      1. Where a customer is a body corporate and the beneficial owner cannot be identified, relevant persons must instead take all reasonable measures to verify the identity of the senior managing official. The relevant person must keep records detailing all actions it took to do this and any difficulties encountered in doing so.8
      2. Where a customer is a legal person, trust, company, foundation or similar legal arrangement, the relevant person must take reasonable measures to understand the ownership and control structure of that legal person, trust, company, foundation or similar legal arrangement.9
      3. Before entering into a new business relationship with a company subject to beneficial ownership registration requirements (i.e. the PSC regime), the relevant person must collect from the company either:
        1. proof of the company's registration on the PSC Register; or
        2. an excerpt of the PSC Register.
      4. Where the relevant person identifies a discrepancy between the beneficial ownership information available in the PSC Register and the beneficial ownership information provided by the company in the course of CDD, it must report this to Companies House.10
  6. Enhanced customer due diligence (EDD)
    1. MLR 2017 requires relevant persons to conduct EDD in cases where:
      1. a transaction is complex or unusually large, or there is an unusual pattern of transactions; and
      2. the transaction or transactions have no apparent economic or legal purpose.
      MLR 2019 splits out these criteria into three alternative limbs.11
    2. 5MLD extends the existing requirement to carry out enhanced monitoring of any business relationship or transaction with a person "established in" a high-risk third country so that it covers any relationship or transaction "involving" a high risk country. However, MLR 2019 clarifies that in the UK, "involving" means:
      1. a business relationship with a person established in a high-risk third country; or
      2. a transaction subject to CDD anyway, to which either party is established in a high-risk third country.
    3. For these purposes, being "established in" a third country means:
      1. in the case of a legal person, being incorporated in or having its principal place of business in that country, or, in the case of a financial institution or a credit institution, having its principal regulatory authority in that country; and
      2. in the case of an individual, being resident in that country, but not merely having been born in that country.12
    4. "High-risk third countries" remain those identified by the European Commission as such, although 5MLD broadens the assessment criteria, suggesting that the list will likely increase.13
    5. MLR 2019 contains a number of additional requirements for business relationships or transactions involving a party "established in" a high-risk country:
      1. obtaining additional information on:
        1. the customer and on the customer's beneficial owner(s);
        2. the intended nature of the business relationship;
        3. the source of funds and wealth of the customer and the customer's beneficial owner(s); and
        4. the reasons for the intended or performed transactions.
      2. obtaining senior management approval for establishing or continuing the business relationship;
      3. carrying out enhanced ongoing monitoring of the business relationship by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination.14
  7. National register of bank account and safe-deposit box ownership
    1. Under MLR 2019, the UK has until 10 September 2020 to establish a centralised automated mechanism – such as a central registry or electronic data retrieval mechanism – which allows for the identification of natural and legal persons holding or controlling bank accounts, payment accounts or safe-deposit boxes in the UK.15
    2. Credit institutions or safe custody services providers must respond fully and rapidly to requests from law enforcement authorities or the Gambling Commission.16 Customer records must be kept for five years after the closure of the account or safe-deposit box.17