The Money Laundering Regulations 2017 (“MLR 2017“) are yet to be finalised but are due to take effect on 26 June 2017. The MLR 2017 will implement several changes, particularly to risk management.
The Joint Money Laundering Steering Group, an industry recognised body that provides guidance for firms on AML compliance, has issued its Guidance on compliance with MLR 2017. Compliance with JMLSG’s Guidance is generally regarded as compliance with AML requirements. We await the finalised updated Guidance from JMLSG but have seen their draft proposed revised guidance.
Key Changes under MLR 2017
MLR 2017 will incorporate the MLR 2007. The key changes include:
- requirement of a risk assessment;
- widening the definition of “Politically Exposed Persons”;
- additional provisions regarding policies and supervision;
- changes to CDD requirements;
- confirmation of data protection/record keeping requirements; and
- changes to reporting requirements.
Risk Assessments and Policies:
Whereas the MLR 2007 required firms to keep policies relating to risk assessment and due diligence, MLR 2017 is more prescriptive. The MLR advocates a “risk based approach” to AML/TF policy.
As such, firms (if they are not already) must carry out a written risk assessment to identity and assess AML risks (Regulation 18(1)). This risk assessment must be documented, kept up to date (Regulation 18(4)) and made available to the FCA on request (Regulation 18(5) and (6)).
The risk assessment will be the foundation of a firm’s AML/TF policy. Firms should take into account:
- the customer;
- geographical location of the transaction;
- the product/service offered;
- the delivery channel (Regulation 18(2)); and
- the size and nature of the business (Regulation 18(3)).
The current JMLSG’s draft Guidance (Part 1) indicates a risk assessment may not need to be especially complex; this would be the case where the FCA considers the risks are clear and understood, or where the risks are not essentially complex.
Policies, Controls and PEPs
MLR 2017 is more prescriptive here too.
Regulation 19(1) obliges firms to establish and maintain policies managing money laundering risks identified in the risk assessment, and keep a written record of them. These must be proportionate to the size and nature of the business.
Policies must be approved by “Senior Management” (Regulation 19(2)). Senior Management is defined as “an officer or employee with sufficient authority to make decisions and knowledge of money laundering risks”.
MLR 2017 has additional provisions concerning “group company policy” (Regulation 20). Essentially under these provisions, a parent company should ensure its AML policies apply to all subsidiaries (UK and non-UK based).
Where there are subsidiaries and branches in the EEA, the parent must ensure that these offices follow the local AML laws and at the very apply measures equivalent to those in the UK.
MLR 2017 contains further provisions in respect to “internal controls” (Regulation 21). Firms will be required to:
- appoint a board member (or equivalent management body) to be responsible for MLR 2017 compliance;
- regularly the assess the suitability of the aforementioned appointed employee to the role; and
- establish some form of independent audit function regards AML policies.
When considering AML policies, firms should now be aware that the definition of PEPs is widened under MLR 2017, to include local PEPs and foreign PEPs (Regulation 35(12)).
As a result, firms will need to conduct enhanced due diligence for a broader range of individuals who hold prominent public functions both in the UK and overseas.
Customer Due Diligence (CDD)
As per the existing provisions, MLR 2017 provides that firms will need to:
- carry out CDD on new customers (Regulation 27(1));
- identify the customer (if not already known) and verify their identity from documents provided by the customer, or from a reliable independent source (Regulation 29);
- conduct CDD before the start of the business relationship/before completion (Regulation 30(1)) (there are exceptions if it would otherwise disrupt the normal conduct of business).
The automatic application of simplified CDD in certain circumstances has been removed. Instead a firm will need to consider the risk factors in deciding whether it is appropriate.
There is no specific reference in MLR 2017 as to how CDD should be carried out.
Considerations for Firms – the rise of electronic evidence:
The rise of electronic transactions has naturally led to greater use of electronic verification of identity, using an electronic/digital source. Electronic verification may be carried out by the firm or through an organisation. The JMLSG advises that firms should be aware of the risks of impersonation in electronic transactions, and advises on additional verification checks in such cases.
Firms are required to keep record of the identity and verification data of a customer for 5 years (Regulation 39(3)).
The five year period begins when a firm will have reasonable grounds to believe that:
- the transaction is complete, for records, documents or information relating to an occasional transaction; or
- the business relationship has come to an end.
After the expiry of the five year period, such data must be deleted unless there is a legal requirement to keep it or the data subject has expressly consented.
What Should Firms be Doing
Whilst the changes introduced by MLR 2017 are not wholesale, at the very least firms should:
- ensure risk assessments are carried out;
- revise policies and procedures, taking into account the risk assessment and the JMLSG guidance;
- appoint appropriate persons to manage AML/TF policy; and
- review CDD policies, ensuring they are fit for purpose and up to date.
For further information please contact Mahesh Vara