Regulatory Bulletin: Money Laundering Regulations 2017

By admin | Uncategorized | 0 Comments

MONEY LAUNDERING REGULATIONS 2017: what you need to know

WHAT is it?

The Money Laundering Regulations 2017 are effectively the UK government’s transposition of the new measures introduced by the 4th EU Anti-Money Laundering Directive (4th EU AML Directive). The legislation does not represent a major overhaul of businesses’ Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) obligations, but rather a consolidation and strengthening of the existing law, with more prescriptive emphasis on certain areas.

WHO will it affect?

Money Laundering Regulation 2017 will affect money-laundering procedures at banks, building societies, credit unions, all types of financial services, including PSPs, EMIs and consumer credit firms. The full list of firms affected can be found in Schedule 2 of the Money Laundering, Terrorist Financial and Transfer of Funds Regulation 2017.

WHEN does it come into force?

The 4th Money Laundering Directive came into force on the 26th of June 2017.

WHAT are the key focus areas?

Risk Assessment

Central to the new legislation are the much more prescriptive requirements related to risk assessments. Your firm will need to conduct a documented risk assessment in order to determine its obligations under the new law. The risk assessment should examine the level of money laundering and terrorist financing risk to which your business is subject, taking into account the following factors (see regulation 18 of the 2017 Regulations):

  • Any information made available to you by your relevant supervisory authority (the FCA, in the case of financial sector firms) as a result of its own risk assessment – the FCA has not released their own risk assessment at the time of writing;
  • Relevant “risk factors”, including factors related to:
    • Your customers (if they were, for example, entirely UK-based natural persons, this would generally present a lower risk than if they were offshore legal entities with complex ownership structures);
    • The countries or geographic areas in which you operate (consult Transparency International’s indexes of perceived corruption to get an idea of high-risk jurisdictions);
    • Your products or services (some sectors, like foreign exchange, are particularly vulnerable to becoming conduits for illegal cash);
    • Your transactions (do you always know where the money is coming from – and who it is going to?)
    • Your delivery channels (if you operate an automated online login system, for example, how do you stop high-risk customers from signing up?).

The level of detail included in the risk assessment should be proportionate to the size, nature and scale of your business. Risk assessments should be written down, dated and fully documented, as the Regulations stipulate that you must make them fully available to the FCA or other supervisory authorities on request.

Policies, controls and procedures

After you have completed your risk assessment, Regulation 19 requires you to use its findings to review your current AML/CTF procedures and assess whether they are adequate to maintain and mitigate the risk of money laundering or terrorist financing. If necessary, you should put new procedures in place, following the guidelines established in the Regulation – in any event, your policies should at least reflect that a risk assessment has taken place in line with the new law, even if you don’t make any substantive changes.

If your firm pre-dates the implementation of the 2017 Regulations, you should already have policies and procedures in place to cover AML/CTF risk. The vast majority of firms used the JMLSG Guidance as a basis for their own policies, and this document has now been updated to take into account the new law, so it would be a sensible approach to continue following its updated guidelines on matters such as KYC documentation, electronic verification, and sanctions. The guidance is not binding and does not have the force of law, but its authors represent an industry consensus and work closely with HM Treasury, so its suggestions can be used as a guide to best practice.

In any event, your revised AML policies and procedures must include:

  • Risk management practices;
  • Internal controls, in line with Regulations 21 to 24;
  • Customer Due Diligence (KYC) measures, in line with regulations 27 to 38;
  • Reliance on Due Diligence information, and record keeping procedures, in line with regulation 39 to 40;
  • Procedures for the monitoring of compliance with, and internal communication of, your AML policies, controls and procedures (this will include regularly updating your Risk Assessment, including AML procedures in your internal compliance review, and arranging training for staff).

The Regulations require you to regularly review and update your AML policies and procedures, as well as keeping a record of any changes you have made as a result of these reviews. In practice, this will mean maintaining a “version history” document, detailing any changes made to internal policies and the rationale for doing so. You must also record the steps taken to communicate the revised policies within your business. This would normally mean scheduling internal training and keeping a record of attendance as well as keeping a record of the training materials themselves.

As well as stipulating the high-level areas your AML policies and procedures must cover, the 2017 Regulations are more prescriptive when it comes to certain situations. In particular, your policies and procedures must now include:

  • Procedures for the identification and scrutiny of the following:
    • Any transaction which is complex and unusually large, follows an unusual pattern, or has no apparent economic or legal purpose;
    • Any other activity or situation which you have identified as particularly likely by its nature to be related to money laundering or terrorist financing.
  • Procedures which specify the taking of additional appropriate measures to prevent the use of products or transactions which might favour anonymity (e.g. cryptocurrency) for money laundering or terrorist financing;
  • Procedures for the adopting of new technology. If you propose to adopt new technology, you should take “appropriate measures” to identify and mitigate any potential new money laundering or terrorist financing risks which arise as a potential result;
  • Procedures for ensuring that Part 7 of the Proceeds of Crime Act 2002 (money laundering offences) and Part 3 of the Terrorism Act 2000 (proscribed organisations) are complied with when a person in your firm knows or suspects (or has reasonable grounds to suspect) money laundering or terrorist financing;
  • In the case of money services business (E-Money or payment institutions), procedures for assessing whether its agents satisfy the “fit and proper” test provided for in regulation 58, and assessing the extent of the risk that the agent may be used for money laundering or terrorist financing.

Regulation 20 provides for the situation in which your firm is part of a group and how policies and procedures should be applied group-wide as a result.

Internal controls

The 2017 Regulations introduce further mandatory measures in the realm of internal controls. Most notably, you are now required to appoint one individual at Board level (or equivalent) or senior management as the officer responsible for ensuring your firm’s compliance with the Regulations. This is a separate and additional function to that of the MLRO, although you can appoint one individual to fulfil both functions. If you are a sole trader who does not employ or act in association with another person or company, you do not need to fulfil this requirement

You also need to adopt the following measures:

Introduce “screening” of your “relevant” employees (broadly, those who monitor or are capable of affecting your money laundering or terrorist financing risk), both before they are appointed and on an ongoing basis. This screening should take into account:

  • The skills, knowledge and expertise of the employee to carry out their functions effectively (a complete CV should normally suffice); and
  • The conduct and integrity of the individual (for example, through criminal record checks or examination of employment references).
  • Appoint a “nominated officer” (an MLRO).

Regulation 24 of the 2017 ML regulation requires you to:

  • Ensure all staff are aware of law relating to money laundering, terrorist financing and data protection (Regulation 40)
  • Ensure staff are able to recognise and deal with transactions and activities which may be related to money laundering and/or terrorist financing

Customer Due Diligence

One of the main aspects which changed since the Money Laundering Regulation 2007 is the inability of firms to carry out Simplified Due Diligence based only on customer type. You can ‘adjust the timing and the extent’ of what information you acquire from your customers. You should take into account the risk assessment relating to the customer, product and geographical factors. For a full list of factors, please see Regulation 36 of the 2017 ML Regulation.

There is a new requirement for enhanced due diligence measures. Th requirement is to carry out enhanced measures where:

  • A transaction of business relationship involves a person established in a high-risk third country
  • The customer is a Politically Exposed Person (PEP)
  • Or if the customer’s family member or known close associate of a PEP

There is a guidance which the FCA has published on their website (FG 17/6 the treatment of politically exposed persons for anti-money laundering purposes).

WHAT do firms need to do to comply?

  1. Carry out a documented risk assessment (Remember the level of detail of the assessment should be proportionate to the nature, size and complexity of your business).
  2. Conduct a review of your current AML policies procedures and based on the risk assessment results and consider what changes need to be made, what needs to be added or removed (it should be clear to the regulator that the risk assessment has taken place).
  3. Remember to keep record of any changes you have made to your current AML policies and procedures.
  4. Make all staff aware of the new regulation, determine who your ‘relevant employees’ are and introduce screening.
  5. Appoint a dedicated Officer to oversee the firm’s compliance with the new regulation.
  6. Ensure your employees are able to recognise any suspicious transactions or activity (through training).
  7. Familiarise staff with the new requirements for carrying out ‘Simplified DD’.

WHAT can we do to help?

Here at FinTech Compliance we have the needed knowledge and expertise to help you with:

  • Assisting your firm with carrying out a risk assessment and determining what regulation your business is subject to;
  • Designing additional policies and procedures to ensure your firm is in compliance with the 2017 Directive
  • Putting together training material to ensure your staff are familiar with the rules and regulations
  • Ensuring your nominated officer/MLRO is up-to-date with the new rules and regulations

We are also very excited to announce that FinTech Compliance will start a series of Compliance Training Days this Autumn and AML & Terrorist Financing Regulation 2017 is one of the hot topics! Please call or email us to find out more.