Money Laundering, terrorist financing and transfer of funds (information on the payer) regulations 2017 [SI 2017/692]
The most obvious change is that the 2007 MLR was 45 pages long and the new 2017 MLR is 106 pages long. In response to the growing complexity of financial crime prevention and the prevalence of money laundering the regulation has become more detailed and more prescriptive.
Although always part of the MLR, there is a greater emphasis throughout the new regulations that firms must take a risk-based approach and make decisions based on risk-weighted decisions. It is now expected that firms have a more mature risk appetite statement that links to and drives operational decisions. Senior managers are held accountable for these decisions and it is therefore important that detailed records are kept of decisions made and the rationale for them.
The MLR 2017 is structured in 11 Parts. The following sections summarise each of these, highlighting the main changes.
Part 1 – Introduction
This section sets out the definitions and meanings that apply throughout the regulations and the supervisory authorities for those persons within the scope of the regulations.
Governance and Accountability
There always had to be a Nominated Person (the MLRO) within an obliged entity, but the new regulations extend this to requiring a firm to also appoint a director (or equivalent) as having overall accountability for money laundering. We see this as following the lead of the financial services regulators who introduced a Senior Managers and Certification Regime (SMCR) last year, with the intention of strengthening accountability within financial services. This new regime makes individuals within organisations personally accountable for the actions of the firm, with significant criminal penalties if they are found to have been at fault.
Part 2 – Money laundering and Terrorist Financing
This section identifies the “relevant persons” to whom the money laundering provisions in these Regulations apply (regulations 8 to 15). Regulations 16 to 25 impose requirements for risk assessments to be carried out by the Treasury and the Home Office, the supervisory authorities and relevant persons to identify and assess the risks of money laundering and terrorist financing. They also require relevant persons to have policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing identified through the risk assessments. Regulation 26 prohibits any person from being the beneficial owner, officer or manager of certain firms unless that person has been approved by the firm’s supervisory authority.
Risk Management and Assessment
Risk assessment is central to the MLR and impacts almost every aspect of the legislation. The rules have been significantly extended, now covering six pages rather than the one page found in the 2007 MLR. EABs are required to produce and maintain a detailed and comprehensive risk and control register. Risk management and assessment must broadly cover two perspectives:
- Enterprise Risk identification and management for the safe pursuit of the firm’s strategy. This must be articulated through a Risk Statement including a Risk Appetite statement.
- Identification and Assessment of risks presented by customer engagement and transacting, in line with existing regulations and driving the appropriate level of CDD.
The regulations are much more detailed when specifying the need for a comprehensive and integrated risk management framework and specify that this must be documented and made available to the supervisory authority. Risk and control frameworks must include self-assessment mechanisms that are embedded within the day-to-day operation of the firm.
Policies, controls and Procedures
As an extension to the risk management framework and a step up from the existing regulations, the rules specify that firms must establish and maintain written policies, controls and procedures. Firms must ensure that they implement processes to ensure that these are reviewed on a regular basis to ensure that are embedded and up-to-date. The regulator will require sight of these documents as well as the method for maintaining them and ensuring they remain effective.
Firms must have established risk and control self-assessment procedures in place.
Part three – Customer due diligence
This section makes provision for customer due diligence measures. Regulations 27 to 32 identify what CDD measures must be undertaken by relevant persons, and when those measures must be undertaken. Regulations 33 to 35 identify when enhanced customer due diligence measures must be applied by the relevant person in addition to the general customer due diligence measures required by regulations 27 to 32. Regulations 36 to 37 identify when simplified customer due diligence measures may be applied by the relevant person.
Provision of Information
Here we see a fundamental change that will have a significant impact to the way all CDD is conducted by obliged entities. Under MLR 2017 an obligation has been placed on a party to provide information within 2 days of it being requested. This applies to parties being ‘relied’ upon, corporate bodies and trusts. This obligation is referenced several times throughout the MLR, but for example regulation 42(1) states:
“When a UK body corporate enters into a relevant transaction with a relevant person, or forms a business relationship with a relevant person, the body corporate must on request from the relevant person (and at the latest within two working days) provide the relevant person with—
(a) information identifying—
(i) its name, registered number, registered office and principal place of business;
(ii) its board of directors, or members of its management body;
(iii) its senior management;
(iv) the law to which it is subject;
(v) its legal owners, and
(vi) its beneficial owners, and
(b) its memorandum of association or other governing documents.
(2) If, during the course of a business relationship, there is any change in the identity of the individuals or information falling within paragraph (1), the UK body corporate must notify the relevant person of the change and the date on which it occurred within two working days.”
It is difficult to see how this will work and how enforceable it will be. However, if successful, this could greatly reduce the burden on CDD teams.
A three-tiered approach to CDD still exists, with customer due diligence being the default level. The concept of both simplified and enhanced due diligence remains, but the regulation is now more prescriptive about how these may be applied. It is important that all firms have a clear and robust risk assessment methodology that can be applied consistently to each new customer before deciding what level of due diligence is appropriate.
Beneficial ownership, bodies, corporates or partnerships still only extends to control or ownership of 25% or more.
Regulation 26 (1) states, “No person may be the beneficial owner, officer or manager of a firm within paragraph (2) (“a relevant firm”) [a list including estate agents] unless that person has been approved as a beneficial owner, officer or manager of the firm by the supervisory authority of the firm.”
The definition of a PEP now includes domestic PEPs but the time limit from when a person ceases to be considered a PEP has not been changed and is still 12 months from leaving a politically exposed position; longer at the discretion of the firm conducting CDD. All obliged entities will need to have significant controls and on-going monitoring of any PEP relationship they establish.
Part four- Reliance and record keeping
This section sets out the circumstances in which a relevant person may rely on another person to apply customer due diligence measures (regulation 38). It also makes provision as to which records relevant persons are required to keep, and when they are to be deleted (regulation 39), and clarifies the requirements as to data protection (regulation 40).
Reliance has been extended, making it easier to use a third party for part or all CDD. The regulations are more prescriptive and significantly, now extend to include other types of obliged entity. However, it should be noted that the risks of relying on a third party are generally greater than the benefits. Barriers to reliance are that third parties can be slow in providing copies of identification documentation to help identify the customer or its beneficial owner. To mitigate this, the regulations specify that a third party must abide by the two-day rule for providing information and updating on changes.
Proceed with caution; it may now be easier to rely on others, but be aware that the risk of this being information being inadequate or wrong still lies with you.
The regulations describe the type of written agreement that must be put on place when exercising reliance, as well as additional record keeping requirements. Firms must ensure that when placing reliance on any third party, that they adhere carefully to the rules and that detailed records are kept as these may be called on for up to five years after the completion of the transaction or business relationship. If you are the relevant person being ‘relied’ upon, you must also keep your own records for the same period.
Detailed records must be kept for a minimum of five years from the date the transaction or customer relationship ended. Under the MLR 2017 an obliged entity must delete records held after the required period of five years has elapsed. The only exception to this is when there may be other legal reasons for retaining the information, such as an ongoing investigation. Separate to the MLR is the General Data Protection Regulation (GDPR) aimed at protecting customer and personal data and making sure that an individual has access to their data, kept by organisations. This is separate legislation directly applicable in the UK, but applies in full to obliged entities. It is intertwined with the MLR and comes into force in May 2018. Firms would do well to adopt its recommendations ahead of the implementation date.
Training is a mandatory requirement and there is an increased emphasis on the importance of training. The regulator sees culture being at the heart of combatting financial crime and believes that it should be part of everybody’s everyday job. This begins with awareness and that comes from training. Senior managers will be held accountable for a lack of training which could result in financial penalties. Firms must ensure that they have reviewed and enhanced training to meet the new requirements in the MLR. This must be well documented and evidential; without which there is no way to prove it happens.
Part five – Beneficial ownership information
This section applies to bodies corporate and to trustees. It requires corporate bodies to provide specified information to a relevant person when entering into a relevant transaction with a relevant person (regulation 42) and requires trustees to inform the relevant person of their status and to provide information to them, and to law enforcement authorities (regulation 43). The trustee is under additional requirements to hold certain information and provide information to the Commissioners for Her Majesty’s Revenue and Customs (“the Commissioners”) in certain circumstances. The Commissioners are under a requirement to hold the information that has been received from the trustee in a register (regulation 44).
Part six – Money laundering and terrorist financing: supervision and registration
This section makes provision in relation to supervisory authorities and registration of relevant persons. It states that all supervisory authorities are subject to a duty to cooperate with other supervisory authorities, the Treasury and law enforcement authorities and a duty to collect information. Provision is made for the circumstances in which a supervisory authority may disclose information it holds for supervisory purposes. Regulations 52 to 59 require the Financial Conduct Authority and the Commissioners to maintain registers of certain relevant persons, and impose corresponding requirements on relevant persons to apply for registration. The FCA and the Commissioners have powers to suspend or cancel the registration of a relevant person in certain circumstances.
Part seven – Transfer of funds (information on the payer) regulations
This section sets out the supervisory authorities for a payment service provider and the duties of the supervisory authorities. There are only two supervisory authorities for service providers: the FCA and the Commissioners.
Part eight – Information and investigation
This section gives supervisory authorities information gathering powers (regulations 64 to 67), gives the FCA and the Commissioners further investigatory powers (regulations 68 to 69) and makes provision for the way in which these powers may be exercised (regulations 70 to 72).
Part nine – Enforcement
This section identifies “relevant requirements” for these Regulations and gives the FCA and the Commissioners powers to impose civil penalties on any person who has contravened a relevant requirement. Regulations 83 to 89 provide for criminal offences where a relevant person has contravened a relevant requirement; prejudiced an investigation or disclosed false or misleading information to the supervisory authorities and make provision in relation to criminal proceedings.
This section, therefore, does not impose additional requirements or make changes to the operational nature of what you are doing, but all obliged entities should take head of this warning that regulators are getting tough on noncompliance and failings.
Part ten – Appeals
This section provides for an appeal from a decision by the FCA under these Regulations (regulation 90), and for reviews and appeals in relation to decisions of the Commissioners (regulations 91 to 97).
Part eleven – Miscellaneous provisions
Among other things ensures that charges or penalties imposed by the FCA or the Commissioners may be recovered as a debt in civil proceedings (regulation 98), ensures that the FCA and Commissioners are able to recover the costs of their supervision or enforcement action (regulation 99) and imposes obligations on various public authorities to disclose any suspicions they may have or money laundering or terrorist financing (regulation 100).
The new money laundering regulations represent a significant change to the way all firms must manage financial crime. What we see in this version of the regulations will almost certainly be what is finally implemented. The final consultation period of four weeks is already underway, but it is unlikely to produce significant changes.
What should you do?
Take Action Now
The following is a recommended list of actions you should undertake. Engage specialist help to get expert advice and perhaps more importantly, experience. Lysis Financial provides compliance advice to firms based on years of experience. We bring a set of pre-built tools and methodologies honed from repeated engagements, enabling us to bring solutions based on what works.
- Rules Mapping – By far the most important first step is to understand how these changes affect your business. By creating a map from the regulations to your own operations, you will quickly be able to identify the gaps, enabling you to formulate a plan taking the changes on the front foot. When we engage with an organisation to do this, we provide a Compliance Risk Assessment (CRA). The CRA acts as an internal management tool, enabling the compliance function to target its activities, focussing effectively on the highest priority tasks.
- Consider Risks and Risk Appetite – Once you have understood where the gaps are in your compliance framework, you should turn your attention to enhancing your approach to risk management. Document your Risk Appetite. Move onto a full review of your risk framework and the size of those risks will tell you where you need to make control adjustments to bring the firm into line with its appetite.
- Review and enhance your risk and control framework – having stated your Risk Appetite and assessed your risks you will know where adjustment to the systems and control framework is necessary to achieve alignment. Management Information and reporting is critical to the success of risk and control management; make sure information and communication is effective. Document this well and the regulator will be happy.
- Update Policies and Procedures – Once you’ve identified the necessary changes to your systems and controls you need to articulate your approach to AML, CFT and Financial Crime in general. Review and enhance your policies. Review and enhance your processes. Bring this all together through a Compliance Manual.
- Training – The regulator will want to see a robust and comprehensive approach to training and therefore culture. Build a programme and support this with a clear plan. Document everything to demonstrate successful completion and that no one is falling through the cracks.
- Record Keeping – Review the GDPR regulation and align your record keeping with that. It doesn’t’ come into force until 2018, but getting that right now will save a lot of effort later.
- Test your readiness – If you haven’t already done it, get an external review. [There are many firms that will test your readiness for a supervisory visit.] Visit www.lysisfinancial.com for some example services.
Lysis Financial is a specialist Governance, Risk and Compliance firm, providing advice, support and guidance to regulated firms. We have a range of services tailored to support firms as they operate in regulated spaces.
We work with all types of obliged entities and have a range of solutions, designed for both large and small firms.
Lysis embeds a risk-based strategic approach into its projects and operational decision-making, enabling our clients to be assured of sustainable success.