The government enacted the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the MLR 2017) on 26 June 2017. These are based on the same principles as the pre-existing rules, but contain significant changes which affect how regulated organisations must structure their anti-money laundering (AML) functions and carry out checks.
The MLR 2017 apply to all organisations operating within the regulated sector which broadly covers the finance industry, the legal and accountancy professions and parts of the property industry.
The changes reflect the greater emphasis in the EU’s fourth Money Laundering Directive, which the MLR 2017 implement, on a risk-based approach. As a result, the MLR 2017 are considerably more onerous than their predecessor, the 2007 regulations.
In order to comply with the implementation deadline HM Treasury issued the MLR 2017 without detailed guidance. As a result, we are assisting a number of our private and public sector clients in deciding how best to implement the rules, while monitoring the guidance being issued by industry bodies.
This is especially important given the heightened scrutiny that money laundering risks have attracted in recent years, especially in the real estate and finance sectors. In 2015, Prime Minister David Cameron gave a well-publicised speech in Singapore linking laundered money to property price rises. The ‘Panama Papers’ data leak in 2016 highlighted the purchase of UK real estate via offshore vehicles and named banks and law firms which facilitated this. As a result, the Royal Institution of Chartered Surveyors currently identifies money laundering as one of the most significant areas of risk facing the property industry.
Key changes in the 2017 regulations include:
- New roles and functions. Organisations must, depending on their size and risk profile, appoint a board member or a member of the senior management team with responsibility for compliance with the regulations. Although the MLR 2017 and the Joint Money Laundering Steering Group guidance do not state this must be a different person from the existing money laundering reporting officer (MLRO), we consider it is sensible for them to be different people in order that the compliance officer can review the practices of the MLRO and provide them with recommendations as required. This also mirrors HMRC guidance. Organisations must also consider establishing an independent audit function to monitor compliance.
- Training and screening. Organisations must screen employees involved in AML compliance and provide them with regular training. Training is key as any individual who undertakes tasks related to AML may be subject to civil penalties or criminal sanctions should they fail to comply.
- Risk assessments. It will be necessary to undertake organisation-wide AML risk assessments. It will also be necessary to undertake individual risk assessments for each new customer and transaction.
- More onerous customer due diligence. The customer due diligence documentation required will be more onerous. It is necessary to identify the source of funds and the ultimate beneficial owners of companies or trust. Simplified due diligence no longer applies automatically to particular categories of customers. There are now more stringent rules regarding reliance on the due diligence of another party such as a solicitor.
- PEPs. Politically exposed persons (PEPs) will now include UK government officials as well as overseas officials. There is an inherent contradiction here, in that UK PEPs are likely to be found on the boards of UK PLCs and public sector bodies. That elevates the risk profile of customers who would otherwise be low risk and formerly have benefited from simplified due diligence. There must also be approval from senior management for establishing a business relationship with a PEP and adequate measures must be taken to establish their source of wealth.
- Trusts. Trustees will need to be ready to provide details for a new register of beneficial owners of trusts. Beneficial owners are likely to include a trust’s settlor, trustees, protector and beneficiaries.
All regulated bodies should update their AML personnel, policies and procedures to ensure compliance with the new regulations. This will involve filling the new roles identified above, re-drafting procedures, organising training for staff and setting up new audit functions.
Specific risk factors
It is important in doing this for organisations to consider risk factors specific to their own industry and business. The MLR 2017 list out particular factors to be considered, including the nature of an organisation’s customers, geographic areas in which it operates, products or services, transactions and delivery channels.
Activities involving higher risk jurisdictions and complex offshore structures will inevitably be higher risk, as will high-value property transactions or other large one-off movements of money.
Day-to-day operations will also be affected. Private and social housing landlords should consider the risk factors around accepting cash payments, especially if tenants produce large sums at short notice to avoid eviction.
Given the prominence that money laundering is attracting, we are seeing some clients mitigating potential regulatory and reputational risks by implementing best practices which go beyond the legal minimum.
For example, some businesses are carrying out customer due diligence on their contract counter-parties. This is not strictly required, because these are not their ‘customers’. However, if (for example) a regulated body was to purchase real estate that was found to be derived from the proceeds of money laundering or terrorist finance, it could still nevertheless potentially commit one of the substantive money laundering offences under the Proceeds of Crime Act 2002, as well as face reputational damage. Other examples are changing business models to phase out cash payments, and changing deal models to ensure that AML documentation is obtained at the very outset of discussions.
Obviously there are pros and cons to such an approach. No-one wants to add to their regulatory burden. This can not only impact management time and overheads, but also potentially a business’ competitiveness in the market if it is perceived as difficult to deal with. It is also necessary to ensure such an approach is consistent with other regulations, especially the upcoming General Data Protection Regulation which will tighten up the rules around the retention of personal data.
Having said that, the regulatory climate means that money laundering is a key risk for regulated businesses. The damage caused by the Panama Papers to Mossack Fonseca, one of the world’s largest providers of offshore services, is an extreme example. However, regulators in the UK are increasingly sharpening their teeth. Implementing the MLR 2017 promptly and effectively is therefore an important task for regulated organisations.