The much awaited European Union's 4th Money Laundering Directive has produced a 10 year update to the Money Laundering Regulations 2007. The Money Laundering Regulations 2017 come into force on the 26 June 2017.
If you have not yet undertaken a review of your money laundering policy in line with the new regulations, set out below is a summary of the key considerations to review further. You should also remove reference to the 2007 legislation as the new 2017 Regulations encompass the regulatory framework that will apply.
Much of the new Regulations is fine tuning but there are key changes and every regulated firm should be reviewing the content, checking its policies and undertaking fresh reviews and training. If you haven’t started, you do not have long to comply and the failures for non-compliance continue to include criminal charges as well as civil and administrative penalties for the organisation and relevant individuals.
1. Risk Assessments
Under the 2007 Regulations, it was necessary to keep policies relating to risk assessment and due diligence. The 2017 Regulations set out the procedure to be taken by a relevant person when analysing the organisation’s potential exposure to money laundering or terrorist financing. This will usually mean that the Money Laundering Reporting Officer (MLRO) must produce a written risk report covering its clients, products and services, size and nature of the business, transaction types, and countries of operation and the various modes of delivery. Having considered those areas, the individual must then put in place policies based upon the findings. It is the specific process of assessment on a prescriptive basis that is key. It is therefore essential that the MLRO understands how the business works and operates in order to undertake an appropriate risk assessment and then establish the subsequent policies.
If your risk assessment has not been updated in line with the 2017 requirements, now is the time to review it.
2. Risk Mitigation Policies
Taking the 2007 Regulations a step further, risk mitigation policies are to be proportionate to the risks identified and approved by senior management in addition to being in writing. If you have limited the review work undertaken by your staff or other relevant persons, it is vital that you explain why in your policy and how this is proportionate to the risks you have identified within your business.
The policies must include internal controls over money laundering and terrorist financing risks which includes the screening of agents and staff as well as training.
Screening covers any person whose work is relevant to complying with the AML work within your business. This could range from the person taking the client ID to working in your accounts department. Screening means assessing the skills, knowledge and expertise of such an individual in carrying out their functions effectively and of their conduct and integrity. This is often unlikely to have been previously audited and your policies must be updated.
Taking appropriate measures to ensure relevant employees and agents are made aware of the law relating to money laundering, terrorist financing and data protection, and are regularly given training in how to recognise and deal with transactions and other activities which may be related to money laundering or terrorist financing are also key steps. Training should have been undertaken in any event but additional training should now have been in place to update your staff on the 2017 changes. If those involved with your compliance have not heard of the new Regulations, they will not have been trained. If you received a call from HMRC in advance of an inspection to review your compliance, how would your team respond? If they would be unaware of the Regulations, you may find it difficult to persuade the Regulator that you are compliant.
3. Level of due diligence
There are also changes to Simplified Due Diligence although many organisations have never had the opportunity to utilise this section of the 2007 Regulations. The 2017 regulations identify high-risk jurisdictions which, if involved in a transaction, will make Enhanced Due Diligence compulsory.
4. Reliance on Third Parties
It is possible under the 2007 Regulations to rely upon the due diligence carried out by a third party providing that party is also regulated.
Under the 2017 regime, the third party must provide the customer due diligence information obtained and enter into a written agreement under which it agrees to provide within 2 working days copies of all customer due diligence documentation in respect of the customer and or is beneficial owner.
5. Politically Exposed Persons (PEP’s)
Historically many organisations did not deal with foreign PEPs. However, the Politically Expose Persons regime now applies to local PEP’s too.
This means that Enhanced Due Diligence is required for individuals in trusted prominent public functions not only overseas but also in the UK. It goes beyond the individual directly to include relatives.
Putting in place a policy that is proportionate, reflects your business and is set out in writing and followed by your staff is vital. Assuming that you will never deal with a PEP will not suffice.
If a client is a PEP, the business must assess the level of risk associated with the particular customer and the extent to which Enhanced Due Diligence should be applied. If your staff are unaware of this requirement, you are not compliant.
Copies of all relevant documents and supporting evidence in respect of transactions must be kept for 5 years from the date your business knows, or has reasonable cause to believe, that the transaction is complete or that the business relationship has come to an end.
At the end of that period, any personal data must be deleted unless there is a legal requirement to keep it all the date of subject has expressly consented. Any personal data obtained the purposes of complying with the money laundering regulations 2017 may only be processed for the purposes of preventing money laundering and terrorist financing.
If you have not yet updated your systems, you still have time but must act quickly:-
1. Review your current policy alongside the Money Laundering Regulations 2017 to identify how your systems and procedures should be updated and revised;
2. Ensure appropriate individuals appointed to key risk management and prevention positions are screened and trained on the changes;
3. Ensure your customer due diligence policies are updated and the information retained particularly with regards to PEP’s
4. Ensure all of your systems and procedures are assessed on a risk based process.
This is not an exhaustive list and is provided for guidance purposes only.
Should you require assistance in complying with the Money Laundering Regulations 2017 that will apply to your business from the 26th June 2017, please contact Sarah Canning at firstname.lastname@example.org.