Anti money laundering legislation aimed at preventing the use of the financial system for the laundering of the proceeds of drug and other serious crime or the funding of terrorism has been in place for over ten years. The original requirements were for financial institutions to set up procedures to verify the identity of clients and keep records of the evidence supplied, have internal reporting procedures for suspicions of money laundering and to train employees to recognise money laundering and in the use of the institutions’ internal procedures. This is a constantly evolving area being twice extended and amended since the first legislation came into force.
The latest set of regulations is the Money Laundering Regulations 2007 (2007 Regulations). These Regulations come into force on 15 December 2007 replacing the current Money Laundering Regulations 2003 and implementing the EU’s Third Money Laundering Directive. This Directive is wider in scope than its predecessors as it extends the category of businesses that will fall within the regulated sector to include trust and company service providers, ‘high value dealers’ (being a person or firm trading in goods for which he receives payment in respect of a transaction or series of linked transactions exceeding Euros 15,000) and life insurance intermediaries. A new category of person, a ‘politically exposed person’, is also introduced as a client in respect of whom, along with any of his close family members or known associates, the regulated business must conduct enhanced due diligence before accepting as a client.
Risk based compliance
One of the main features of the Third Money Laundering Directive is the introduction of risk-based due diligence requirements for regulated businesses, much of which is consistent with the current practices introduced in the UK by the 2003 regulations and the Joint Money Laundering Steering Group Guidance published in 2006 (Guidance). Under the 2007 Regulations, regulated businesses (which, in addition to the new businesses added, include credit and other financial institutions, auditors, insolvency practitioners, accountants, money service businesses and estate agents) must “establish and maintain appropriate and risk-sensitive policies and procedures” relating to:
- Customer due diligence measures and on-going monitoring including how to identify whether a person is a politically exposed person (being a person entrusted with a prominent public function by another state, EC institution or international body), in which case increased diligence will be required. On-going monitoring of relationships will involve scrutinising the transactions undertaken in the course of the business relationship, in particular to identify the source of funds and whether the types of transactions are consistent with the regulated business’s knowledge of the customer, its business and risk profile as well as keeping documents obtained for the purposes of due diligence up to date.
- Record keeping. Records should include all evidence and supporting documents obtained to verify the identity of the customer at the commencement of the business relationship and during any on-going due diligence. Records should be kept for at least 5 years after the completion of the last activity arising from a transaction or the end of the business relationship. All records should be kept up to date. n Internal control, such as additional measures to prevent the use of products or transactions favouring anonymity that may attract money laundering or terrorist funding.
- Risk assessment and management. This will need to include how to identify complex or unusual transactions or patterns of transactions and which, by reason of a lack of economic or lawful purpose, may be likely to be related to money laundering or terrorist funding. It will be important to keep the risk assessment policies up to date.
- The monitoring and management of compliance with, and the internal communication of, such policies and procedures. It will be necessary for regulated businesses to show the FSA (if they are a credit or financial institution), the OFT (if they are a consumer credit financial institution or estate agent) or HMRC (if not otherwise regulated) that their customer due diligence measures are appropriate.
The emphasis on risk-based policies and practices is new and is a recurring feature of the 2007 Regulations. It will be the responsibility of the regulated business to evaluate the risk of money laundering or terrorist funding in the context of each customer and to vary accordingly the extent of the customer due diligence and monitoring exercised. More stringent “know your customer” procedures are to be followed where the perceived risk is higher. The type of customer, business relationship and the transaction will all be relevant factors in determining the risk.
The 2007 Regulations specifically set out those situations where “enhanced” or “simplified” customer due diligence will be appropriate. Enhanced due diligence is to be applied, on a risk sensitive basis, in situations where the customer is not physically present, the customer is a politically exposed person or if the situation by its nature carries a high risk of money laundering or terrorist financing. In such situations further verification of the customer or beneficial owner, more details of the ownership or control of the client, more information on the purpose of the business relationship or the source of the funds and enhanced monitoring will be necessary.
In contrast, simplified due diligence will be acceptable if the customer is a credit or financial institution itself subject to the Money Laundering Directives, from a non EU state and supervised for compliance with equivalent anti money laundering requirements, a company with securities listed on a regulated market or a UK public authority.
Customer due diligence
There are new, more detailed customer due diligence obligations to add to those already in place. All customer due diligence obligations are triggered by the establishing of a ‘business relationship’, the conduct of an occasional or one-off transaction of more that Euros 15,000 or actual knowledge or suspicion of money laundering or terrorist financing. A business relationship is the business, professional or commercial relationship between the regulated business and the customer which is expected to have a duration. This element of duration is to be assessed when the contact between the institution and customer is established not when it is first made. There is a limited exemption for business carried out on an occasional or limited basis as the 2007 Regulations are only intended to apply to institutions when they conduct regulated business.
A regulated business is required to identify a customer and verify his identity on the basis of documents and data obtained from a reliable source. Where there is doubt about the adequacy of the documents previously obtained, further customer due diligence must be conducted. The identity of the customer and any beneficial owner must be verified before the establishment of a business relationship or the conduct of any occasional transaction. However, where the regulated business considers there is a low risk of money laundering and it is necessary not to interrupt the normal conduct of the business, the 2007 Regulations permit the verification of a customer’s identity during the establishment of the business relationship, rather than before, save where the opening of a bank account is involved, in which case no money can be paid out of the account until the identification procedures have been completed.
Additionally, the regulated business must now identify whether there is a beneficial owner of the customer who is not the customer and, if so, verify the identity of the beneficial owner and understand the nature of the ownership and control of any legal person, trust or arrangement relating to the customer. A beneficial owner is a person who ultimately owns or controls at least 25% of the shares or voting rights, either directly or indirectly, of the customer.
Finally, the regulated business must identify the purpose and intended nature of the business relationship.
The 2007 Regulations do make one change that may reduce some of the customer due diligence burden as it will be possible for regulated businesses to rely on the due diligence of another regulated person, including credit and financial institutions, auditor, insolvency practitioner, accountant or legal professional in an EEA state or a non-EEA state who is supervised in the compliance of equivalent anti money laundering requirements. The consent of the third party must be obtained and the regulated business will not be able to rely on any defect in the third party’s due diligence in the event of any failure to satisfy the requirements of the 2007 Regulations.
Breach of the 2007 Regulations is an offence punishable by a fine or imprisonment for up to 2 years. In addition all the money laundering offences in Part 7 of Proceeds of Crime Act 2002 will apply, which include the offence of failing to notify any knowledge or suspicion that another person is involved in money laundering.
This risk-based approach will involve a change of practice by regulated businesses and may involve them in a delicate balance. A risk averse approach is likely to increase the administration involved in establishing business relations and any situation where enhanced customer due diligence is required will lead to more detailed investigation of customers. Proper risk analysis will require good information gathering and careful consideration of customers and their transactions and could mean more money laundering reports are made. On the other hand, too cavalier an approach to risk assessment could leave institutions exposed to the failure of properly complying with the 2007 Regulations.
Joint Money Laundering Steering
Group guidance for ABLs
In January 2006, the JMLSG published an amended version of its extensive guidance for the UK financial sector on the prevention of money laundering and combating the funding of terrorism. One of the key features, now reflected in the Third Money Laundering Directive and the Money Laundering Regulations 2007, is risk-based due diligence. Whilst some further changes have now been made to this Guidance, to reflect the provisions for relying on third party due diligence and alterations to definitions, these are not substantial and institutions already complying with the Guidance will only need to make minor changes to their policies and procedures to meet the new legislation’s requirements.
The Guidance is in two parts. Part 1 is the main guidance containing the general provisions addressing senior management responsibility, internal controls and the money laundering reporting officer, the risk-based approach and customer due diligence, monitoring, reporting, training and staff awareness. Part 2 contains specific sector guidance. In August 2007 a new section containing guidance for the invoice finance sector was added to this Part 2. This section identifies the money laundering risks in invoice finance, the main ones being payment against invoices where there is no movement of goods or the overstating of the value of goods. The risks are indicated to be greater where there are cross-border transactions, reduced paper trails, the financier allowing the client to collect the debt and confidential and bulk products. Greater involvement in transactions by the invoice financier, such as the recording and managing of individual invoices and customers and collection by the invoice financier together with on-going due diligence, monitoring, site inspections and verification will reduce the risks of money laundering. The high level of contact between financier and client that is typical to invoice finance may itself make this sector less attractive to money launderers. The Guidance assesses the overall risk of money laundering in factoring to be lower than that in invoice discounting.
Invoice financiers are required to conduct a risk assessment for each client and introduce robust procedures to monitor money-laundering risks. Any changes to internal procedure or revision of risk assessment must be documented within the financier’s overall risk assessment and this must be reviewed and updated regularly. Whilst there are obvious overlaps with procedures for managing general credit risks, particular attention will need to be paid to additional checks such as improving knowledge of the source of funds and monitoring of short term breaches of finance agreements for early indications of money laundering. Any suspicions must be promptly reported to SOCA.
With regard to its customer due diligence requirements contained in the Guidance, the invoice financier will be required to identify its client (the ‘customer’ in Part 1 of the Guidance), being the business entity with which it has a contractual relationship. The level of customer due diligence required is set out in Part 1 chapter 5 of the Guidance. This requires identification of the client (and in some cases further verification) together with a full understanding of the client and its business to establish expected activity patterns of the client. Invoice financiers are not required generally to conduct customer due diligence for money laundering purposes on their clients’ customers, although depending on the risk assessment, some verification of underlying customers may be appropriate. The sector Guidance lists those situations where enhanced due diligence will be necessary, for example, where any party connected to a client is a ‘politically exposed person’ or is associated with a country identified as having high levels of money laundering or inadequate supervision or a high risk business such as one involving high levels of cash sales, cross border transactions or small, high value goods. Additional monitoring will be needed where there is a marked change from the expected activities, for example, changes in size, value or frequency of transactions, a change in location or goods or to payment methods or cycles. Invoice financiers will be familiar with much of the customer due diligence required both at commencement of the facility and during the life of the facility, as there is a close link here to the anti-fraud measures that form a primary control against other criminal misuse of invoice finance facilities. For maximum effect these processes should be closely co-ordinated.
Copies of the Guidance are available at www.jmlsg.org.uk