Snapshot: AML requirements for covered institutions and individuals in United Kingdom

AML requirements for covered institutions and individuals

Which government entities enforce the AML regime and regulate covered institutions and persons in your jurisdiction? Do the AML rules provide for ongoing and periodic assessments of covered institutions and persons?

Businesses operating in the regulated sector are subject to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the Regulations) and are monitored by a supervisory authority. Each supervisory authority is responsible for monitoring and taking appropriate action to ensure compliance with the Regulations and must provide guidance to businesses in its sector.

The Financial Conduct Authority (FCA), HM Revenue and Customs, the Gambling Commission and 22 other professional bodies act as supervisory authorities under the Proceeds of Crime Act 2002 (POCA) and the Regulations. Breaches of the Regulations or the bodies’  own regulatory rules may be pursued civilly or criminally. Supervisory authorities may also take other regulatory actions in relation to failures of money laundering systems and controls.

The Office for Professional Body Anti-Money Laundering Supervision was established in 2018 and is based within the FCA. Its objective is to improve the consistency of professional body AML supervision. It has the power to ensure that the professional bodies acting as supervisory authorities meet the standards required by the Regulations.

Which institutions and persons must have AML measures in place?

Regulated sector businesses are required to implement extensive compliance programmes as set out in the Regulations. A business is a regulated business if it is involved in one of the activities listed in Part 1 of Schedule 9 of POCA and if it is a ‘relevant person’ under Regulation 8 of the Regulations.

The regulated sector includes:

• credit institutions;
• financial institutions;
• auditors, insolvency practitioners, external accountants and tax advisers;
• independent legal professionals;
• trust or company service providers;
• estate agents and letting agents;
• high-value dealers;
• casinos;
• art market participants (from September 2022, this does not include those who sell their own work);
• cryptoasset exchange providers; and
• custodian wallet providers.

Those in the regulated sector also have an obligation to report suspicions or knowledge (subjective or objective) of money laundering under criminal penalty.

Non-regulated businesses, although not under an obligation to implement AML measures, may nevertheless consider it prudent to put measures in place to mitigate AML risk. Non-regulated businesses can commit the substantive money laundering offences and the prejudicing an investigation offence under POCA. Section 332 of POCA also creates an additional failure to disclose offence for nominated officers of non-regulated businesses; however, the offence only applies if a nominated officer has actually been appointed. Liability only attaches to a nominated officer and not to other employees. The offence has not been committed unless the nominated officer has actual knowledge or suspicion of money laundering.

Do the AML laws applicable in your jurisdiction require covered institutions and persons to implement AML compliance programmes? What are the required elements of such programmes?

Regulated sector businesses are required to implement extensive compliance programmes as set out in the Regulations.

The Regulations contain a large number of requirements. Failure to comply with such requirements can lead to penalty provisions. The requirements include, but are not limited to:

• carrying out a risk assessment that identifies and assesses the risk of money laundering, terrorist financing and proliferation financing to its business;
• establishing and maintaining policies, controls and procedures to mitigate and manage effectively the risks of money laundering, terrorist financing and proliferation financing identified in the risk assessment; and
• the application of customer due diligence (CDD) measures following a risk-based approach.

The policies and procedures must be risk-based and proportionate to the size and nature of the business. The approach must be approved by senior management and subject to proper record-keeping practices.

What constitutes breach of AML duties imposed by the law?

POCA and the Regulations cover the substantive money laundering offences, regulated sector reporting obligations, tipping off and breaches of the requirements of the Regulations.

Describe due diligence requirements in your jurisdiction’s AML regime.

Under the Regulations, a business in the regulated sector must carry out CDD in circumstances including the following:

• when establishing a business relationship (before it is established, unless it would interrupt the normal conduct of business and there is little risk of money laundering, terrorist financing or proliferation financing);
• when carrying out an occasional transaction that amounts to a transfer of funds within the meaning of article 3.9 of Regulation (EU) 2015/847 (which is retained in UK law post-Brexit) exceeding €1,000 (before the transaction is carried out, unless it would interrupt the normal conduct of business and there is little risk of money laundering and terrorist financing);
• where money laundering or terrorist financing is suspected;
• where there are doubts about the veracity or adequacy of documents or information obtained for the purposes of identification or verification;
• at other appropriate times to existing customers, following a risk-based approach;
• when the regulated person becomes aware that the circumstances of an existing customer relevant to its risk assessment for that customer has changed; and
• when the relevant person has any legal duty in the course of the calendar year to contact an existing customer to review information that is relevant to the business’s risk assessment for that customer and relates to the beneficial ownership of the customer.

The CDD measures must include identifying and verifying the customer (unless the customer is known and has been verified), and assessing the purpose and intended nature of the business relationship or occasional transaction. 

A risk-based approach should be taken to CDD. The Regulations contain provisions for applying enhanced due diligence (EDD) on higher-risk customers and simplified due diligence on lower-risk customers.

Where the customer is a corporate, CDD must include the verification of certain details. Reasonable steps must also be taken to determine and verify the law to which the corporate is subject, the names of the directors on the board or equivalent body and the senior persons responsible for the operations of the body corporate (unless the customer is a business listed on a regulated market).

A beneficial owner in relation to a body corporate that is not a listed company is any individual who:

• exercises ultimate control over the management of the body corporate; 
• ultimately owns or controls (directly or indirectly) more than 25 per cent of the shares or voting rights; or 
• controls the body corporate (Regulation 5 of the Regulations).

The Regulations include an obligation to take reasonable measures to understand the ownership and control structure where the customer is a legal person, trust, company, foundation or similar legal arrangement (Regulation 28(3A) of the Regulations).

Unless the customer is a business listed on a regulated market, where it is beneficially owned by another person, the beneficial owner must be identified and reasonable measures taken to verify the identity of the beneficial owner, including information that enables the regulated entity to understand the ownership and control of the beneficial owner if it is a legal person, trust, foundation or similar legal arrangement.

There is also an obligation to report to Companies House any discrepancy found in relation to beneficial ownership between information collected from Companies House during the CDD process and information that otherwise becomes available in the course of carrying out the duties under the Regulations (Regulation 30A(2)). From 1 April 2023, it will be necessary to collect an excerpt from the register that shows the beneficial owners of the customer. From this date, the duty to report on discrepancies will be limited to material discrepancies, as defined in the Regulations, and will be extended beyond initial CDD to the ongoing monitoring of the business relationship. 

Credit and financial institutions are subject to additional CDD obligations in relation to certain transactions (Regulation 29).

Where a regulated business is unable to comply with the CDD requirements, the Regulations require that the business relationship must not be established, the transaction must not be carried out or an existing business relationship must be terminated. The business must also consider whether it must file an authorised disclosure (known as a suspicious activity report (SAR)) (Regulation 31).

Do the AML rules applicable in your jurisdiction require that covered institutions and persons conduct risk-based analyses? Which high-risk categories are specified? What level of due diligence is expected in relation to customers assessed to be high risk?

The Regulations require regulated sector businesses to carry out a written risk assessment and to identify and assess the risk of money laundering, terrorist financing or proliferation financing to which  the business in question is subject. In carrying out the risk assessment, the business must take into account:

• guidance and other information issued by the relevant regulator (and, in relation to proliferation financing, the national risk assessment conducted by HM Treasury); and
• risk factors relating to:
  •  the business’s customers;
  • countries and geographic areas in which the business operates;
  • its products or services and transactions; and
  •  its delivery channels.

The risk assessment must be provided to the regulator on request. The Regulations require a risk-based approach to CDD, with standard, simplified due diligence and EDD levels based on the assessed money laundering and terrorist financing risk. EDD must be applied where there is a high risk of money laundering or terrorist financing (Regulation 33). High risk includes, among others, where the relationship is with a person in a high-risk third country or the customer is a politically exposed person (PEP); in relation to a correspondent banking relationship with a credit or financial institution; or where a transaction is complex or unusually large.

A PEP is defined in Regulation 35 as a person entrusted with a prominent public function. Family members and known close associates of a PEP will also be subject to EDD. Where the person is no longer a PEP, EDD continues to apply for a period of at least 12 months after the date the person ceased to be entrusted with that prominent public function or for such longer period as the business considers appropriate. PEPs face a higher level of scrutiny, including a focus on their source of wealth and funds, because of the risk that they can abuse their position.

High-risk third countries are those considered by HM Treasury to be jurisdictions with unsatisfactory money laundering and terrorist financing controls. HM Treasury  replicates the countries listed by the Financial Action Task Force as high risk or under increased monitoring on its own list.

Under the Regulations, a credit or financial institution must not enter into or continue a correspondent relationship with a shell bank.

Describe the record-keeping and reporting requirements for covered institutions and persons.

Record-keeping

The Regulations require that a regulated business must keep certain documents for five years following the date on which the business knows, or has reasonable grounds to believe, that the transaction is complete or that the business relationship has come to an end. Once the period has expired, all personal data obtained for the purposes of the Regulations must be deleted, except in certain limited circumstances.

Reporting requirements

There are a number of reporting requirements under POCA. In broad terms, where a person operating in the regulated sector knows, suspects or has reasonable grounds to know or suspect money laundering activity, a SAR must be filed with the National Crime Agency (NCA).

The disclosure, made via a SAR, must be made as soon as practicable after the information or grounds for belief came to them. No offence is committed if there is a reasonable excuse for not making the disclosure, or the information came to a legal adviser or relevant professional adviser in privileged circumstances.

Under section 331 of POCA, a nominated officer, usually the money laundering reporting officer (MLRO), commits an offence if they fail to inform the NCA of disclosures received under section 330 of POCA where they know or suspect, or have reasonable grounds to know or suspect, that another person is engaged in money laundering.

In practice, a person in the regulated sector is expected to be subject to an AML policy that requires suspicions to be escalated to the MLRO. The MLRO will then consider matters by reference to CDD materials and other information, then decide whether to file a SAR. The MLRO will also consider whether a defence against money laundering SAR is required. In practice, it is not expected that the MLRO will file a SAR in relation to every escalation that they receive. They are expected to review matters and consider whether a SAR is required.

Describe any privacy laws that affect record-keeping requirements, due diligence efforts and information sharing.

The General Data Protection Regulation (GDPR) has direct effect across the European Economic Area (EEA) as an EU regulation. Following the end of the transition period under the UK–EU Withdrawal Agreement on 1 January 2021, the GDPR is no longer directly applicable in the United Kingdom, but has been implemented into the national laws applicable in the United Kingdom by virtue of the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, and the Data Protection, Privacy and Electronic Communications (Amendments, etc) (EU Exit) Regulations 2019. The version of the GDPR that applies in the United Kingdom is defined in the Data Protection Act 2018 (as amended) as the UK GDPR. The vast majority of the compliance requirements under the UK GDPR are functionally identical to those that exist under the EU GDPR.

The Data Protection Act 2018 came into force on 25 May 2018, covering the processing of personal data within and outside the scope of the UK GDPR by competent authorities for law enforcement purposes and by the intelligence services.

The UK GDPR and the Data Protection Act 2018 require personal data to be processed in accordance with prescribed principles (article 5 of the UK GDPR). There must be a lawful basis for processing (article 6 of the UK GDPR) underpinning the processing of personal data. This includes when processing personal data to conduct CDD. Subject to certain exclusions, data subjects (the individuals whose personal data are being processed) also have the right to know how their personal data will be handled and with whom it will be shared. This is usually achieved through the publishing of a privacy notice. The principles within the legislation also dictate that information should only be kept for as long as necessary and used in a way that is consistent with the purposes for which it is being held. During the CDD process, careful consideration should be given to the volume and extent of personal data that is shared and whether any additional steps need to be taken before it is shared with a third party.

A 2019 amendment to the Money Laundering, Terrorist Financing, and Transfer of Funds (Information on the Payer) Regulations 2017 introduced a requirement to provide new customers with the information required under article 13 of the UK GDPR. This includes a statement explaining that any personal data received from the customer will be processed only for the purposes of preventing money laundering or terrorist financing, or as permitted under the Regulations or the UK GDPR, or with the consent of the customer.

Personal data should not be transferred outside the United Kingdom or a jurisdiction that the United Kingdom has deemed adequate for the purposes of cross-border data transfers (noting that the United Kingdom has deemed the whole of the EEA, as well as all jurisdictions that had received an EU adequacy decision as at 1 January 2021, to be adequate for UK purposes) unless appropriate protections are in place; to do so is a breach of the UK GDPR and could lead to fines of up to £17.5 million or 4 per cent of annual global turnover (whichever is higher).

The UK GDPR imposes a general prohibition on the processing of personal data relating to criminal convictions and criminal offences (including allegations of criminal offences) subject to specific exceptions to this general prohibition. Subject to certain conditions, section 339ZB of POCA enables a regulated sector business to request information about a suspected money launderer from another regulated sector business to assist the business in its enquiries.

Similarly, the Data Protection Act 2018 also permits the processing of such personal data where it is necessary for preventing or detecting unlawful acts (Schedule 1, paragraph 10 of the Data Protection Act 2018) or complying with or assisting other persons to comply with a regulatory requirement that involves taking steps to establish whether a person has committed an unlawful act or has been involved in dishonesty, malpractice or seriously improper conduct (Schedule 1, paragraph 12 of the Data Protection Act 2018). However, an appropriate policy document must be in place when relying on the provision contained in paragraph 12.

What is the range of outcomes in AML controversies? What are the possible sanctions for breach of AML laws?

In addition to the possible outcomes in criminal money laundering cases, in some cases, it may be possible to enter into an agreement under the Serious Organised Crime and Police Act 2005 for immunity from prosecution, which usually involves giving evidence in connected criminal proceedings. These agreements are uncommon.

The penalty for corporate defendants is an unlimited fine. Unlike an individual defendant, a corporate defendant can enter into a deferred prosecution agreement (DPA). At the successful conclusion of a DPA, the criminal proceedings against the corporate defendant are concluded.

The United Kingdom has a non-conviction-based asset forfeiture regime known as the civil recovery regime. Civil recovery investigations and proceedings can be settled.

The Regulations

A breach of the Regulations may attract a financial sanction from the relevant regulator in such amount as considered appropriate or a breach may receive a censure in the form of a statement published by the regulator. Civil measures may also include:

• removing fit and proper status from an individual; 
• suspending a firm or individual from undertaking regulated activities; and 
• refusing, suspending or cancelling a business’s registration or authorisation.

A regulator can also impose a temporary or permanent prohibition on an individual having a management role within a relevant legal person. An injunction may also be obtained in the High Court where there is or may be a breach of a relevant requirement.

In some instances, a breach is a criminal offence and the offence can be committed by a person or a corporate (eg, breach of a relevant requirement under the Regulations). Where a corporate has committed an offence and it can be shown that it was committed with the consent or connivance of an officer of the corporate, or the offence can be attributed to any neglect on the part of an officer, the officer as well as the body corporate is guilty of the offence. The maximum penalty in each case is two years’ imprisonment or an unlimited fine, or both.

Regulators may also sanction firms or individuals by reference to other regulatory rules that are in place; for example, the FCA’s Principles for Businesses.

What are the limitation periods governing AML matters?

There are no limitation periods for AML-related criminal conduct.

Do your jurisdiction’s AML laws have extraterritorial reach?

The Regulations apply to the regulated sector carrying on business in the United Kingdom and to the UK operations of any foreign business.

The Regulations impose an obligation on UK financial institutions to require their non-EEA branches and subsidiaries to comply with measures equivalent to those set out in the Regulations (including CDD measures, and ongoing monitoring and record-keeping obligations).

The courts have held that the primary offences under POCA have some extraterritorial application.