WHAT is it?
The Money Laundering Regulations 2017 are effectively the UK government’s transposition of the new measures introduced by the 4th EU Anti-Money Laundering Directive (4th EU AML Directive). The legislation does not represent a major overhaul of businesses’ Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) obligations, but rather a consolidation and strengthening of the existing law, with more prescriptive emphasis on certain areas.
WHO will it affect?
Money Laundering Regulation 2017 will affect money-laundering procedures at banks, building societies, credit unions, all types of financial services, including PSPs, EMIs and consumer credit firms. The full list of firms affected can be found in Schedule 2 of the Money Laundering, Terrorist Financial and Transfer of Funds Regulation 2017.
WHEN does it come into force?
The 4th Money Laundering Directive came into force on the 26th of June 2017.
WHAT are the key focus areas?
Central to the new legislation are the much more prescriptive requirements related to risk assessments. Your firm will need to conduct a documented risk assessment in order to determine its obligations under the new law. The risk assessment should examine the level of money laundering and terrorist financing risk to which your business is subject, taking into account the following factors (see regulation 18 of the 2017 Regulations):
The level of detail included in the risk assessment should be proportionate to the size, nature and scale of your business. Risk assessments should be written down, dated and fully documented, as the Regulations stipulate that you must make them fully available to the FCA or other supervisory authorities on request.
Policies, controls and procedures
After you have completed your risk assessment, Regulation 19 requires you to use its findings to review your current AML/CTF procedures and assess whether they are adequate to maintain and mitigate the risk of money laundering or terrorist financing. If necessary, you should put new procedures in place, following the guidelines established in the Regulation – in any event, your policies should at least reflect that a risk assessment has taken place in line with the new law, even if you don’t make any substantive changes.
If your firm pre-dates the implementation of the 2017 Regulations, you should already have policies and procedures in place to cover AML/CTF risk. The vast majority of firms used the JMLSG Guidance as a basis for their own policies, and this document has now been updated to take into account the new law, so it would be a sensible approach to continue following its updated guidelines on matters such as KYC documentation, electronic verification, and sanctions. The guidance is not binding and does not have the force of law, but its authors represent an industry consensus and work closely with HM Treasury, so its suggestions can be used as a guide to best practice.
In any event, your revised AML policies and procedures must include:
The Regulations require you to regularly review and update your AML policies and procedures, as well as keeping a record of any changes you have made as a result of these reviews. In practice, this will mean maintaining a “version history” document, detailing any changes made to internal policies and the rationale for doing so. You must also record the steps taken to communicate the revised policies within your business. This would normally mean scheduling internal training and keeping a record of attendance as well as keeping a record of the training materials themselves.
As well as stipulating the high-level areas your AML policies and procedures must cover, the 2017 Regulations are more prescriptive when it comes to certain situations. In particular, your policies and procedures must now include:
Regulation 20 provides for the situation in which your firm is part of a group and how policies and procedures should be applied group-wide as a result.
The 2017 Regulations introduce further mandatory measures in the realm of internal controls. Most notably, you are now required to appoint one individual at Board level (or equivalent) or senior management as the officer responsible for ensuring your firm’s compliance with the Regulations. This is a separate and additional function to that of the MLRO, although you can appoint one individual to fulfil both functions. If you are a sole trader who does not employ or act in association with another person or company, you do not need to fulfil this requirement
You also need to adopt the following measures:
Introduce “screening” of your “relevant” employees (broadly, those who monitor or are capable of affecting your money laundering or terrorist financing risk), both before they are appointed and on an ongoing basis. This screening should take into account:
Regulation 24 of the 2017 ML regulation requires you to:
Customer Due Diligence
One of the main aspects which changed since the Money Laundering Regulation 2007 is the inability of firms to carry out Simplified Due Diligence based only on customer type. You can ‘adjust the timing and the extent’ of what information you acquire from your customers. You should take into account the risk assessment relating to the customer, product and geographical factors. For a full list of factors, please see Regulation 36 of the 2017 ML Regulation.
There is a new requirement for enhanced due diligence measures. Th requirement is to carry out enhanced measures where:
There is a guidance which the FCA has published on their website (FG 17/6 the treatment of politically exposed persons for anti-money laundering purposes).
WHAT do firms need to do to comply?
WHAT can we do to help?
Here at FinTech Compliance we have the needed knowledge and expertise to help you with:
We are also very excited to announce that FinTech Compliance will start a series of Compliance Training Days this Autumn and AML & Terrorist Financing Regulation 2017 is one of the hot topics! Please call or email us to find out more.