Money Laundering Regulations 2017
Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) effective on 26 June 2017, replaced the 2007 Regulations.
The 2017 Regulations largely apply to the same entities and individuals as the 2007 Regulations, including accountancy services; trust or company services; or related services such as tax advice, audit or insolvency. Dealers in goods who make or receive any cash payment exceeding €10,000 (the threshold was €15,000 in the 2007 Regulations), whether in one transaction or several linked transactions, must also comply. There is an exemption for those engaging in financial activity on an occasional basis if their annual turnover is less than £100,000 (increased from the previous threshold of £64,000) and other criteria are met.
The CCAB anti-money laundering guidance for the accountancy sector replaced the 2008 guidance which was updated to reflect the changes introduced by the 2017 regulations.
The requirements of the MLR 2017 are set out below.
Whole firm risk assessment
The regulations requires a risk assessment of you firm to be conducted and documented, in order to identify money laundering and terrorist financing risks that your firm may face and how you will mitigate against these risks
Risk assessments must be proportionate to the size and nature of the firm. The risk factors to be taken into account relate to:
- your customers;
- the countries or geographic areas your firm operates;
- your products and services;
- your transactions; and
- your delivery channels.
The firm wide risk assessment must take into account information made available by your supervisory authority. The IFA has worked with the other accountancy bodies to produce the below assessment of circumstances where there might be a high risk of money laundering or terrorist financing:
Firms must provide such firm wide risk assessments, including underlying information, to their supervisory authority on an annual basis as part of the annual member firm return as well as on request.
Internal controls – officer responsible for compliance
Where appropriate to the size and nature of the business, firms must now appoint a money laundering compliance principal (MLCP) and that individual must be on the board of directors (or equivalent management body), or a member of senior management, where appropriate to the size and nature of the business. Sole practitioners with no employees are exempt from this requirement.
Firms must also appoint a nominated officer (Money Laundering Reporting Officer (MLRO)), to receive internal suspicious activity reports and who assesses whether a suspicious activity report should be made to the National Crime Agency (NCA).
All firms currently have an MLRO under MLR07. Where this person is sufficiently senior then they can act as MLCP and nominated officer.
If the MLRO is not sufficiently senior and an MLCP must be appointed, the MLCP’s name must be communicated to IFA within 14 days of first appointment to firstname.lastname@example.org.
However, the IFA will presume that the MLCP is the same individual as the firm’s registered MLRO unless the firm informs us otherwise.
Internal controls - screening of relevant employees
Where appropriate to the size and nature of the business, firms must now assess the skills, knowledge, conduct and integrity of those employees who are involved in identifying, mitigating, preventing or detecting money laundering and terrorist financing in the course of business. This includes those staff whose work is relevant to compliance with the regulations.
You must also regularly train your relevant employees in how to recognise and deal with transactions and other activities which may be related to money laundering or terrorist financing.
Internal controls - independent audit function
Where appropriate to the size and nature of the business, firms must establish an independent audit function to examine and evaluate the effectiveness of the firm’s AML policies, procedures and controls Sole practitioners with no employees are exempt from this requirement.
The regulations do not state that the independent audit function must be external to the firm, but it should be independent of the function being reviewed.
Policies, controls and procedures
Firms must have written policies, controls and procedures to effectively manage and mitigate the risk of money laundering and terrorist financing, as well as data protection requirements. These policies, controls and procedures must be proportionate to the size and nature of the business, approved by senior management, regularly reviewed, updated and communicated internally within your firm.
There is also a requirement for firms with overseas subsidiaries and branches to establish group wide policies and procedures that comply with UK requirements.
The firm’s policies, controls and procedures should be risk based which means that firms should focus their resources on areas that present the greatest threat of money laundering and terrorist financing.
Firms need to provide staff with appropriate training on money laundering and terrorist financing. This training now includes an obligation to make staff aware of the law on data protection, insofar as it is relevant to the implementation of the MLR 2017. A written record of training must be maintained.
Apply for approval if you are a beneficial owner, officer or manager (BOOM) of a firm
Under the Money Laundering Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) the IFA must approve all beneficial owners, officers and managers (BOOMs) in our supervised firms.
The approval process seeks to ensure that no BOOM has been convicted of a relevant offence as set out in Schedule 3 to the MLR 2017.
In order to be approved, HM Treasury has informed supervisors that they must obtain evidence of Disclosure and Barring Service (DBS) check to get a copy of your criminal record. This is called 'basic disclosure' check. The check will only show convictions that are not ‘spent and guidance to assist members in obtaining the required criminal record checks is provided.
Individuals who have an unspent relevant criminal conviction set out in Schedule 3 to the MLR 2017 cannot be approved by the IFA as member engaged in public practice. There is no right of appeal under the MLR 2017, although a person can re-apply once the conviction becomes spent.
The relevant convictions in Schedule 3 to the MLR 2017 are economic crimes such as fraud, bribery, dishonesty, tax offences and breaches of the money laundering regulations. Driving offences are not included in the list. Nonetheless, IFA members and affiliates should be aware that some convictions that are not included within Schedule 3 may still lead to disciplinary action.
Client due diligence (CDD)
Firms must perform client due diligence before you establish a business relationship and when any factors relevant to client risk assessment have changed. These include:
- your client’s identity has changed;
- you have identified a transaction that isn’t consistent with your knowledge of your client; or
- the services you are providing to your client have changed.
Firms must identify the beneficial owner of the client and take reasonable measures to verify their identity and if the beneficial owner is an entity or legal arrangement, take reasonable measures to understand its ownership and control structure. The regulations state that you can’t rely solely on Companies House registers of beneficial ownership.
There are three key changes to the CDD requirements:
- You must now also complete CDD where you only perform company formation services, even if that service is a one-off service for that client.
- You must also identify and verify the identity of a person purporting to act on behalf of your client.
- You must obtain and verify the name of the body corporate, its registration number, its registered address, and principal place of business. You must also take reasonable measures to determine and verify the law to which it is subject, its constitution (set out in governing documents) and the names of the board of directors and its senior management.
Simplified Due Diligence (SDD)
SDD can be applied when you have assessed the client as low risk of money laundering and terrorist financing. MLR 2017 sets out a list of factors to be taken into account when assessing whether a client presents a low degree of money laundering risk and terrorist financing. If they do, SDD measures can be applied.
Enhanced Due Diligence (EDD)
Enhanced Due Diligence (EDD) should be applied where there is a higher risk of money laundering or terrorist financing. MLR 2017 sets ou a list of circumstances in which EDD measures must be applied, which includes:
- any transaction or business relationship with a client established in a high-risk country;
- any transaction or business relationship involving a politically exposed person (PEP), or a family member or known close associate of a PEP;
- any other situation which presents a high risk of money laundering or terrorist financing.
The MLR 2017 also set out a list of factors that must be taken into account in assessing whether there is a higher risk of money laundering and terrorist financing present. Under the EDD measures, the regulations require that at minimum, the background and purpose of the transaction should be examined and the frequency in which the business relationship is monitored is increased.
In addition, you may take additional measures as part of your EDD such as seeking additional independent, reliable sources to verify the information that your client has provided to you.
The regulations give a list of risk factors that might indicate that there is a high risk of money laundering or terrorist financing. You should consider these when assessing if EDD might be appropriate:
Customer risk factors:
- The business relationship is conducted in unusual circumstances.
- The customer is resident in a geographical area considered to be an area of high risk.
- The customer is a legal person or arrangement that is a vehicle for holding personal assets.
- The customer is a company that has nominee shareholders or bearer sharest.
- The customer is a business that is cash intensive.
- The corporate structure of the customer is unusual or excessively complex given the nature of the company’s business.
Product, service, transaction or delivery channel risk factors:
- The product involves private banking.
- The product or transaction is one which might favour anonymity.
- The situation involves non-face-to-face business relationships or transactions, without certain safeguards, such as electronic signatures.
- Payments will be received from unknown or unassociated third parties.
- New products and new business practices are involved, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products.
- The service involves the provision of nominee directors, nominee shareholders or shadow directors, or the formation of companies in third countries.
Geographical risk factors:
- Countries identified by credible sources, such as mutual evaluations, detailed assessment reports or published follow-up reports, as not having effective systems to counter money laundering and terrorist financing.
- Countries identified by credible sources as having significant levels of corruption or other criminal activity.
- Countries subject to sanctions, embargoes or similar measures issued by, for example, the European Union or the United Nations.
- Countries providing funding or support for terrorism.
- Countries that have organisations designated by the UK, the EU or other countries/international organisations as terrorist organisations.
Politically exposed persons (PEP)
The regulations require you to have appropriate risk management policies and procedures in to identify whether a client, or the beneficial owner of a client, is a PEP or a family member or known close associate of a PEP. There are a number of free to use online PEP check services available such as www.namescan.io
A family member of a PEP includes their spouse, civil partner, children and parents.
A known close associate of a PEP means:
- An individual known to have joint beneficial ownership of a legal entity or a legal arrangement or any other close business relations with a PEP.
- An individual who has sole beneficial ownership of a legal entity or a legal arrangement which is known to have been set up for the benefit of a PEP.
When you identify a potential client is a PEP, you must assess the level of risk associated with your client and the extent of any EDD that you should perform on that client. As a minimum, you must:
- obtain senior management approval for establishing or continuing the business relationship;
- take adequate measures to establish the source of wealth and funds involved in the business relationship or transaction; and
- conduct enhanced ongoing monitoring of the relationship.
When a client ceases to be a PEP, you must continue to apply your EDD procedures for at least 12 months (or longer if necessary, to address the risk of money laundering or terrorist financing). However, if your client is a family member or known associate of a PEP, you can stop applying EDD procedures as soon as the PEP status ends.
In determining whether someone is a known close associate of a PEP, obliged entities are allowed to rely only information they already hold or that which is freely available in the public domain.
The FCA has published guidance on the treatment of PEPs for anti-money laundering purposes.
Reliance on third parties
If you place reliance on the CDD of a third party, or if a third party places reliance on your CDD, you need to be aware of the changes under the regulations.
If you are relying on a third party, you must obtain all relevant information. You must also enter into a written arrangement that confirms that the firm being relied on will provide the relevant documentation immediately on request.
Record keeping and data protection
Firms must keep a copy of documents and records five years after the business relationship has ceased or the completion of the transaction. At the end of the five years, firms must delete any personal data in those records unless:
- you are required to retain records containing the personal data under an enactment of for the purposes of court proceedings or you have reasonable grounds for believing the records need to be retained for legal proceedings; or
- you have the consent of the person whose data it is.
In addition, firms must provide new clients with:
- information specified in paragraph 2(3) of Part 2 of Schedule 1 to the Data Protection Act 1998; and
- a statement that any personal data received form the client will only be processed for the purposes of preventing money laundering or terrorist financing unless permitted by an enactment or unless they provide consent.
Firms should consider updating their letters of engagement to existing clients.
Register of Trust or Company Service Providers (TCSP)
HMRC must establish a register of TCSPs who are not registered with Financial Conduct Authority (FCA). This will cover all non-FCA registered firms but is not a replacement for AML supervision.
A firm must not act as a TCSP unless it is on the register or has applied and not been rejected from registration. The IFA is waiting for information from HMRC on the establishment of the TCSP register.
The IFA will automatically register your firm for AML supervision on the HMRC TCSP register provided your firm is supervised for AML by IFA as an accountancy service provider AND you have declared you provide TCSP services on your annual firm declaration. Further details can be found here.
Please note that on 10 January 2020 changes to the government’s Money Laundering Regulations came into force. The Money Laundering and Terrorist Financing (Amendment) Regulations 2019 (MLR 2019), make some limited but important amendments to the existing Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017). Further information on the key changes is available here.