On 15 June 2022 HM Treasury published the outcome to its consultation on amendments to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs). The changes to the MLRs will be implemented through the Money Laundering and Terrorist Financing (Amendment) (No.2) Regulations 2022 Statutory Instrument. A draft of the Statutory Instrument and explanatory memorandum have also been published. The amendments bring the MLRs in line with updated FATF standards and fill gaps in the current operation of the UK's AML regime, most significantly in relation to cryptoassets.
The Treasury's publication of amendments to the MLRs was followed on 24 June 2022 by publication of two post-implementation reviews (PIRs) of the MLRs and Oversight of Professional Body Anti-Money Laundering and Counter Terrorist Financing Supervision Regulations 2017 (OPBAS Regulations) and a forward-looking review of the UK’s anti-money laundering and countering the financing of terrorism regime, responding to its Call for Evidence. Overall, the review suggests that the UK's AML regime is working effectively enough that no wholesale changes are needed; instead, the Treasury will take an incremental approach to improvements and remedying deficiencies using structures already in place.
In this note we explain the key amendments to the MLRs taken forward by the Treasury, and explore in more detail the MLRs PIR and forward-looking review conclusions which relate to the financial services sector.
Key changes to the MLRs
Transfers of cryptoassets
The Treasury will implement the travel rule for the transfer of cryptoassets. The travel rule will only apply to intermediaries that are cryptoasset exchange providers or custodian wallet providers and will not capture others, like software providers, to whom the travel rule is not meant to apply. Sub-custodians will also be subject to the travel rule requirements.
The Treasury will no longer require that both fiat currency and cryptoasset transfers are considered for the calculation of the de minimis threshold. Further, information requirements relating to unhosted wallet transfers will be applicable on a risk sensitive basis only.
Only one of the originator's address, date and place of birth, and passport number will need to be sent with a cross-border transfer that is above the de minimis threshold
Reflecting the consensus in favour of a grace period and taking into account the current state of compliance technology, the Treasury has decide to allow a 12-month grace period, to run from the point at which the MLRs take effect until 1 September 2023, during which time crypto businesses will be expected to implement solutions to enable compliance with the travel rule.
Change in control of cryptoasset firms
Currently, firms wishing to enter the UK cryptoasset market are able to acquire beneficial ownership in an existing registered cryptoasset firm without prior notification or FCA consent, effectively sidestepping the registration requirements under the MLRs. In order to close this gap in regulation, the Treasury will amend the MLRs to require proposed acquirers of cryptoasset firms to notify the FCA ahead of such acquisitions, allowing the FCA to undertake a "fit and proper" assessment of the acquirer, and providing the FCA will powers to object to any such acquisition before it takes place and cancel registration of the firm being acquired. The measure will also capture change in control offences under the MLRs.
This was not consulted on - the Treasury says it only came to the government's attention after the consultation period, and indeed there have been a few high profile statements issued by the FCA recently expressing frustration at not being in a position to act more quickly in relation to changes in control of cryptoasset firms.
Importantly, the provisions on changes in control of registered cryptoasset businesses will come into force 21 days after the Statutory Instrument is made, meaning that those considering acquisitions in the crypto sector will need to be prepared to factor in the FCA's approval process.
Changes in scope
The Treasury has decided to remove Account Information Service Providers (AISPs) from the regulated sector but keep Payment Initiation Service Providers (PISPs) within scope, in large part because PISPs are involved in payment chains and therefore may represent a higher risk of being used as a tool of economic crime more broadly.
Further, the Treasury will not be removing Bill Payment Service Providers (BPSPs) and Telecoms, Digital and IT Payment Service Providers (TDITPSPs) from scope of the MLRs at this time, given that (like PISPs) they are involved in payment chains and, additionally, further research is necessary to develop a more in-depth understanding of the risks associated with BPSPs and TDITPSPs.
The Treasury has also decided to amend the definition of an "art market participant" to explicitly exclude from scope artists who sell their own works of art over the €10k threshold.
Clarificatory changes to strengthen supervision
The Treasury has decided to amend the MLRs to introduce an explicit legal right of access gateway for AML/CTF supervisors to access, view and consider the quality of the content in suspicious activity reports (SARs) submitted by supervised populations. Currently, there is no standardised approach to accessing SARs. Some supervisors are already accessing the content of SARs to fulfil their supervisory functions while others are hesitant, due to the ambiguity of the MLRs as to whether they have explicit permission to do so. The amendments will allow supervisors to review and provide feedback on SARs to their supervised population following a risk-based approach, obtain information that is necessary to help inform their understanding of sector risks, and strengthen guidance provided to supervised populations, improving the quality of SARs.
Some respondents felt this would increase the risk of tipping off, but the Treasury ultimately concluded that no increased risk is expected as the Proceeds of Crime Act 2002 already permits SARs to be disclosed to an authority that is the supervisory authority for that firm/individual without the offence of tipping off being engaged. Concerns were also expressed around confidentiality, and in response the Treasury expects supervisors to implement effective information handling measures.
The Treasury has decided not to proceed with amendments to align the activities that make a person a credit and financial institution as per the MLRs with the Financial Services and Markets Act 2000 and defined terms under the Regulated Activities Order. This is because, although it is acknowledged as a sensible move, the policy and legal analysis required to appropriately define all forms of credit and financial institution in detail will be "especially complicated and technical", requiring long-term discussions with industry.
Expanded requirements to strengthen the regime
The Treasury will proceed with amending the MLRs to include provisions on proliferation financing (PF) – these amendments will implement FATF standards to require financial institutions and designated non-financial businesses and professions to identify, assess and maintain policies, controls and procedures action to mitigate PF risks, the definition of which will follow UN Security Council Resolutions.
The MLRs will also be amended to achieve greater alignment between the forms of business arrangement that a Trust and Company Service Provider (TCSP) can form and those that register with Companies House, in particular to include all forms of UK limited partnerships (LPs). Further amendments will include the appointment of a LP by a TCSP as constituting a business relationship and will therefore require customer due diligence (CDD) to be conducted on LPs, if they are the customers of TCSPs.
Further, the Treasury has decided to expand the discrepancy reporting requirement to cover ongoing business relationships, meaning that ongoing CDD requirements will also include requirements to report discrepancies. The requirement will also be amended so that it is clear that only "material discrepancies" need to be reported, together with a list of the types of discrepancies which would be "material". The discrepancy reporting regime will also be expanded to extend the requirement to include entities on the Register of Overseas Entities set up by the Economic Crime (Transparency and Enforcement) Act 2022. These changes to the reporting of material discrepancies will come into force on 1 April 2023.
Information sharing and gathering
The Treasury will amend Regulation 52 to:
• expand the intelligence and info-sharing gateway to allow for reciprocal sharing from relevant authorities (specifically law enforcement) to supervisors;
• expand the list of "relevant authorities" to explicitly include certain parts of BEIS; and
• enable the FCA to disclose the confidential information it receives, in relation to its MLRs duties, more widely.
The Treasury will also extend Regulations 74A-C (reporting requirements, skilled persons reports, powers of direction) to apply to Annex I firms, to bring Annex I firms in alignment with the current powers that the FCA has available for cryptoasset businesses under Regulations 74A-C of the MLRs.
Notices of refusal to register
The Treasury will amend Regulation 59 to allow the FCA and HMRC the discretion to publish information about decisions not to register an applicant. The FCA will also be permitted to publish notices where it has objected to the acquisition of an already registered cryptoasset firm.
Review of the UK AML regime
As a reminder, the Treasury's review is intended to assess the UK’s AML/CTF regulatory and supervisory regimes, grouped under three broad themes:
• a systemic review of the overall effectiveness of the regimes and their extent (i.e. the sectors in scope as relevant entities);
• a regulatory review of whether key elements of the current regulations are operating as intended; and
• a supervisory review of the structure of the supervisory regime, including the work of OPBAS to improve effectiveness and consistency of supervision.
This review is also part of the Treasury's legal requirements: the MLRs require the Treasury to have published a report no later than 26 June 2022 reviewing the regulatory provision set out in the MLRs and OPBAS Regulations, which must set out the objectives intended to be achieved, assess the extent to which the objectives are achieved, assess whether the objectives remain appropriate, and assess the extent to which they could be achieved in another way which involves less onerous regulatory provision. The Treasury also undertook the review in the context of UK regulation post-Brexit, aiming to shift toward effective outcomes rather than technical compliance in line with the FATF's own rebalancing efforts.
Overall, the Treasury's review suggests that the UK's AML regime is working effectively enough that no wholesale changes are planned. However, there is scope to improve implementation and remedy ongoing deficiencies.
The analysis of the MLRs PIR suggests three key findings:
• There are continuing deficiencies in ML/TF risk assessment and understanding across the regulated sector. In financial services, gaps remain particularly in business-wide risk assessments, experienced and skilled resourcing at smaller firms, and control frameworks relating to cryptoassets.
• Specific deficiencies remain in the application of risk mitigating measures by the private sector, with the FCA specifically noting inadequate customer due diligence and enhanced due diligence as common failings identified through its supervision. Other supervisors have also identified policies, controls and procedures as common failings.
• There have been some improvements in the supervision regime, with the FCA responding to recommendations from the FATF Mutual Evaluation Report to strengthen its risk-based approach. However, more generally, the latest OPBAS supervision report suggests continuing issues with inconsistent and supervision by professional body supervisors with varying levels of effectiveness, despite improvements in their technical compliance with the MLRs.
The review of the AML/CTF regulatory and supervisory regimes sets out specific proposals and next steps.
Key conclusions from the forward-looking review:
• Supervision: reform is needed, particularly in relation to inconsistency in the application of enforcement powers across different sectors and differing views among supervisors on the appropriateness of stringent enforcement decisions. However, the best scale and type of reform is not yet clear. The Treasury has laid out a shortlist for supervisory reform, mostly focused on strengthening supervision, particularly in sectors supervised by Professional Body Supervisors (PBSs) overseen by OPBAS, and will consult further on options for reform.
• Specific regulations: in the Treasury's view, most of the requirements and provisions currently in the MLRs are the right ones. Where changes will improve the effectiveness of the regulations, including the risk-based approach, they have been proposed in the review - this includes consulting on removing the list of required checks for customers in high-risk third countries (except in the case where the FATF requires the application of specific elements of enhanced due diligence (EDD)) to align with EDD requirements for other circumstances, and consulting on options aiming to address the difficulties in accessing pooled client accounts (PCAs), including broadening the range of low-risk circumstances in which PCAs may be provided without checks being required on the clients whose funds are held in the account. • Objectives: the government will set out clear new objectives to the MLRs, in line with the FATF’s methodology and embedding a renewed definition of effectiveness. Measuring effectiveness remains difficult; wider “outcomes-focused” metrics as part of the updated Economic Crime Plan later in 2022, and but the government is committed to setting out a revised set of metrics to better measure effectiveness.
• Risks: the government will use existing processes including the National Risk Assessment (NRA) to assess emerging risks and consider changes to the MLRs. Instead of setting out National Priorities similar to those published in June 2021 by FinCEN in the US, the focus will be on incorporating feedback from the Treasury's Call for Evidence during the development of the upcoming Economic Crime Plan and NRA to incorporate system-wide efforts to improve risk understanding and information sharing around risks and threats.
• Wider levers for effectiveness: the Treasury takes the view that making incremental improvements within existing structures rather than radical overhaul is the most appropriate approach, particularly in relation to the application of new technologies, the challenges faced by small or newly regulated firms, the incentives of the current system and the supervisory approach to the risk-based approach. The Treasury has decided not to make wholesale changes to gatekeeping and SARs.
• Sector guidance: the Treasury will also maintain the overall structure of the current sectoral guidance arrangements and take an incremental approach to improvement, with reforms aiming to make the existing guidance more streamlined, consistent and clear. The Treasury will consider requests for further guidance on a case-by-case basis.
While most of the specific measures amending the MLRs will come into force on 1 September 2022, as detailed above there are a few specific points to note on timing:
• Provisions on changes in control of registered cryptoasset businesses come into force 21 days after the Statutory Instrument is made.
• Provisions on reporting of material discrepancies come into force on 1 April 2023.
• Provisions on the travel rule for cryptoassets come into force on 1 September 2023.
For crypto firms in particular, this is both good and bad news. A long grace period before the travel rule for cryptoassets takes effect will allow firms to develop, test and implement compliance solutions. However, those seeking to enter the crypto market in the UK through acquisition of an existing registered firm will need to be prepared to factor in the FCA's approval process, which is expected to be in effect before the end of the summer. Given that the FCA has experienced delays to their change in control process during the first half of 2022, with its most recent statement indicating a delay of about one and a half months between submission of a complete notification and allocation to a case officer, firms should anticipate that the change in control approval process will take longer than expected.
On the UK's AML regime more widely, as explained above the Treasury has decided that no wholesale changes are needed. Instead, the Treasury will take an incremental approach to improvements using structures already in place, including through publication of the second Economic Crime Plan later in 2022. The Treasury will also issue a consultation on reforming supervision, primarily in relation to PBSs, but no major reforms are currently planned, with the Treasury preferring to employ existing levers to improve effectiveness.