The 2017 Regulations largely apply to the same entities and individuals as the 2007 Regulations, including accountancy services; trust or company services; or related services such as tax advice, audit or insolvency. Dealers in goods who make or receive any cash payment exceeding €10,000 (the threshold was €15,000 in the 2007 Regulations), whether in one transaction or several linked transactions, must also comply. There is an exemption for those engaging in financial activity on an occasional basis if their annual turnover is less than £100,000 (increased from the previous threshold of £64,000) and other criteria are met.
The requirements of the MLR 2017 are set out below.
Whole firm risk assessment
The regulations require a risk assessment of your firm to be conducted and documented, in order to identify money laundering and terrorist financing risks that your firm may face and how you will mitigate against these risks
Risk assessments must be proportionate to the size and nature of the firm. The risk factors to be taken into account relate to:
the countries or geographic areas your firm operates;
your products and services;
your transactions; and
your delivery channels.
The firm wide risk assessment must take into account information made available by your supervisory authority. AIA has worked with other accountancy bodies to produce guidance on circumstances where there may be a high risk of money laundering or terrorist financing:
Firms must provide firm wide risk assessments, including underlying information, to their supervisory authority on an annual basis as part of the annual member firm return as well as on request.
Internal controls – officer responsible for compliance
Where appropriate to the size and nature of the business, firms must appoint a money laundering compliance principal (MLCP) and that individual must be on the board of directors (or equivalent management body), or a member of senior management, where appropriate to the size and nature of the business. Sole practitioners with no employees are exempt from this requirement.
Firms must also appoint a nominated officer (Money Laundering Reporting Officer (MLRO)), to receive internal suspicious activity reports and who assesses whether a suspicious activity report should be made to the National Crime Agency (NCA).
All firms currently have an MLRO under MLR07. Where this person is sufficiently senior then they can act as MLCP and nominated officer.
If the MLRO is not sufficiently senior and an MLCP must be appointed, the MLCP’s name must be communicated to AIA within 14 days of first appointment to email@example.com.
Internal controls - screening of relevant employees
Where appropriate to the size and nature of the business, firms must assess the skills, knowledge, conduct and integrity of those employees who are involved in identifying, mitigating, preventing or detecting money laundering and terrorist financing in the course of business. This includes those staff whose work is relevant to compliance with the regulations.
You must also regularly train your relevant employees in how to recognise and deal with transactions and other activities which may be related to money laundering or terrorist financing.
Internal controls - independent audit function
Where appropriate to the size and nature of the business, firms must establish an independent audit function to examine and evaluate the effectiveness of the firm’s AML policies, procedures and controls Sole practitioners with no employees are exempt from this requirement.
The regulations do not state that the independent audit function must be external to the firm, but it should be independent of the function being reviewed.
Policies, controls and procedures
Firms must have written policies, controls and procedures to effectively manage and mitigate the risk of money laundering and terrorist financing, as well as data protection requirements. These policies, controls and procedures must be proportionate to the size and nature of the business, approved by senior management, regularly reviewed, updated and communicated internally within your firm.
There is also a requirement for firms with overseas subsidiaries and branches to establish group wide policies and procedures that comply with UK requirements.
The firm’s policies, controls and procedures should be risk based which means that firms should focus their resources on areas that present the greatest threat of money laundering and terrorist financing.
Firms need to provide staff with appropriate training on money laundering and terrorist financing. This training now includes an obligation to make staff aware of the law on data protection, insofar as it is relevant to the implementation of the MLR2017. A written record of training must be maintained.
Apply for approval if you are a beneficial owner, officer or manager (BOOM) of a firm
Firms must perform client due diligence before establishing a business relationship and when any factors relevant to client risk assessment have changed. These include:
your client’s identity has changed;
you have identified a transaction that isn’t consistent with your knowledge of your client; or
the services you are providing to your client have changed.
Firms must identify the beneficial owner of the client and take reasonable measures to verify their identity and if the beneficial owner is an entity or legal arrangement, take reasonable measures to understand its ownership and control structure. The regulations state that you can’t rely solely on Companies House registers of beneficial ownership.
There are three key changes to the CDD requirements:
You must now also complete CDD where you only perform company formation services, even if that service is a one-off service for that client.
You must also identify and verify the identity of a person purporting to act on behalf of your client.
You must obtain and verify the name of the body corporate, its registration number, its registered address, and principal place of business. You must also take reasonable measures to determine and verify the law to which it is subject, its constitution (set out in governing documents) and the names of the board of directors and its senior management.
Simplified Due Diligence (SDD)
SDD can be applied when you have assessed the client as low risk of money laundering and terrorist financing. MLR2017 sets out a list of factors to be taken into account when assessing whether a client presents a low degree of money laundering risk and terrorist financing. If they do, SDD measures can be applied.
Enhanced Due Diligence (EDD)
Enhanced Due Diligence (EDD) should be applied where there is a higher risk of money laundering or terrorist financing. MLR2017 sets ou a list of circumstances in which EDD measures must be applied, which includes:
any transaction or business relationship with a client established in a high-risk country;
any transaction or business relationship involving a politically exposed person (PEP), or a family member or known close associate of a PEP;
any other situation which presents a high risk of money laundering or terrorist financing.
MLR2017 also set out a list of factors that must be taken into account in assessing whether there is a higher risk of money laundering and terrorist financing present. Under the EDD measures, the regulations require that at minimum, the background and purpose of the transaction should be examined and the frequency in which the business relationship is monitored is increased.
In addition, you may take additional measures as part of your EDD such as seeking additional independent, reliable sources to verify the information that your client has provided to you.
The regulations give a list of risk factors that might indicate that there is a high risk of money laundering or terrorist financing. You should consider these when assessing if EDD might be appropriate:
Customer risk factors:
The business relationship is conducted in unusual circumstances.
The customer is resident in a geographical area considered to be an area of high risk.
The customer is a legal person or arrangement that is a vehicle for holding personal assets.
The customer is a company that has nominee shareholders or bearer sharest.
The customer is a business that is cash intensive.
The corporate structure of the customer is unusual or excessively complex given the nature of the company’s business.
Product, service, transaction or delivery channel risk factors:
The product involves private banking.
The product or transaction is one which might favour anonymity.
The situation involves non-face-to-face business relationships or transactions, without certain safeguards, such as electronic signatures.
Payments will be received from unknown or unassociated third parties.
New products and new business practices are involved, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products.
The service involves the provision of nominee directors, nominee shareholders or shadow directors, or the formation of companies in third countries.
Geographical risk factors:
Countries identified by credible sources, such as mutual evaluations, detailed assessment reports or published follow-up reports, as not having effective systems to counter money laundering and terrorist financing.
Countries identified by credible sources as having significant levels of corruption or other criminal activity.
Countries subject to sanctions, embargoes or similar measures issued by, for example, the European Union or the United Nations.
Countries providing funding or support for terrorism.
Countries that have organisations designated by the UK, the EU or other countries/international organisations as terrorist organisations.
Politically exposed persons (PEP)
The regulations require you to have appropriate risk management policies and procedures in to identify whether a client, or the beneficial owner of a client, is a PEP or a family member or known close associate of a PEP.
A family member of a PEP includes their spouse, civil partner, children and parents.
A known close associate of a PEP means:
An individual known to have joint beneficial ownership of a legal entity or a legal arrangement or any other close business relations with a PEP.
An individual who has sole beneficial ownership of a legal entity or a legal arrangement which is known to have been set up for the benefit of a PEP.
When you identify a potential client is a PEP, you must assess the level of risk associated with your client and the extent of any EDD that you should perform on that client. As a minimum, you must:
obtain senior management approval for establishing or continuing the business relationship;
take adequate measures to establish the source of wealth and funds involved in the business relationship or transaction; and
conduct enhanced ongoing monitoring of the relationship.
When a client ceases to be a PEP, you must continue to apply your EDD procedures for at least 12 months (or longer if necessary, to address the risk of money laundering or terrorist financing). However, if your client is a family member or known associate of a PEP, you can stop applying EDD procedures as soon as the PEP status ends.
In determining whether someone is a known close associate of a PEP, obliged entities are allowed to rely only information they already hold or that which is freely available in the public domain.
The FCA has published guidance on the treatment of PEPs for anti-money laundering purposes.
Reliance on third parties
If you place reliance on the CDD of a third party, or if a third party places reliance on your CDD, you need to be aware of the changes under the regulations.
If you are relying on a third party, you must obtain all relevant information. You must also enter into a written arrangement that confirms that the firm being relied on will provide the relevant documentation immediately on request.
Record keeping and data protection
Firms must keep a copy of documents and records five years after the business relationship has ceased or the completion of the transaction. At the end of the five years, firms must delete any personal data in those records unless:
you are required to retain records containing the personal data under an enactment of for the purposes of court proceedings or you have reasonable grounds for believing the records need to be retained for legal proceedings; or
you have the consent of the person whose data it is.
In addition, firms must provide new clients with:
information specified in paragraph 2(3) of Part 2 of Schedule 1 to the Data Protection Act 1998; and
a statement that any personal data received form the client will only be processed for the purposes of preventing money laundering or terrorist financing unless permitted by an enactment or unless they provide consent.
Firms should consider updating their letters of engagement to existing clients.
Register of Trust or Company Service Providers (TCSP)
HMRC established a register of TCSPs who are not registered with the Financial Conduct Authority (FCA) covering all non-FCA registered firms. A firm must not act as a TCSP unless it is on the register or has applied and not been rejected from registration.
AIA will automatically register your firm for AML supervision on the HMRC TCSP register provided your firm is supervised for AML by AIA as an accountancy service provider AND you have declared you provide TCSP services on your annual firm declaration. Further details can be foundhere.
Amendments to the MLR2017
On 10 January 2020 changes to the UK Money Laundering Regulations came into force.