The Government has transposed the 4th Anti Money Laundering Directive into UK law.
The regulations build on the current regulatory framework although there are some specific, and potentially significant, changes that you need to be aware of.
The CCAB has published its AML guidance for the accountancy sector. This guidance has been updated for the 2017 Regulations and approved by HM Treasury.
Identifying and assessing risk was an important theme running through Money Laundering Regulations 2007 (MLR07) and firms were encouraged to assess the risks faced by the business, as well as the risk that clients would be involved in money laundering or terrorist financing.
The regulations set out a more prescriptive approach to this firm-wide risk assessment. There is a requirement for a written risk assessment and a list of factors that you must take into account. These are:
You can continue to use Chapter 4 of the CCAB guidance (Tech 04/08) to help you perform your risk assessment. This chapter encourages you to design the nature and extent of your AML procedures based on:
The regulations accept that the nature of the risk assessment will depend on the size and nature of your firm. The overall risk assessment of a small firm may be quite succinct – the most important part is that you properly identify and assess the risk of money laundering or terrorist financing and that your assessment is documented.
During 2018, we may perform a themed review of firm-wide AML risk assessments. From this review, we can identify areas that firms may find difficult and provide feedback and guidance. In order to do this, we may ask a sample of firms to submit their risk assessment to us.
Firms must now appoint a money laundering compliance principal (MLCP) and that individual must be on the board of directors (or equivalent management body), or a member of senior management, where appropriate to the size and nature of the business. Sole practitioners with no employees are exempt from this requirement.
Firms must also appoint a nominated officer (i.e, the individual nominated to receive internal suspicious activity reports and who assesses whether a suspicious activity report should be made to the National Crime Agency (NCA)).
All firms currently have an MLRO under MLR07, where this person is sufficiently senior then they can act as MLCP and nominated officer.
If the MLRO is not sufficiently senior and an MLCP must be appointed, the MLCP’s name must be communicated to ICAEW within 14 days of first appointment.
Please send information on this appointment to Paul Simkins, Director of Quality Assurance, ICAEW, Metropolitan House, 321 Avebury Blvd, Milton Keynes, MK9 2FZ.
However, ICAEW will presume that the MLCP is the same individual as the firm’s registered MLRO unless the firm informs us otherwise.
Where appropriate to the size and nature of the business, firms must now assess the skills, knowledge, conduct and integrity of those employees who are involved in identifying, mitigating, preventing or detecting money laundering and terrorist financing in the course of business. This includes those staff whose work is relevant to compliance with the regulations.
You will already assess your staff for competence, conduct and integrity. You must now make sure that these assessments include money laundering.
You must also regularly train your staff in how to recognise and deal with transactions and other activities which may be related to money laundering or terrorist financing.
The regulations say that firms must establish an independent audit function to assess the adequacy and effectiveness of the firms AML policies, controls and procedures. Sole practitioners with no employees are exempt from this requirement.
You should already be performing a money laundering compliance review, which we believe addresses the requirement for an independent audit function. You should make sure that your Money Laundering Compliance Principal is responsible for performing this review. You should perform a compliance review regularly and where you identify any recommendations, you must monitor the firm’s compliance with these recommendations.
MLR07 required firms to have policies, controls and procedures to prevent activities related to money laundering and terrorist financing, as well as data protection requirements. A written record of training must be maintained.
The regulations build on these by requiring you to document these policies, controls and procedures and that your senior management approves them.
There is also a new requirement for firms with overseas subsidiaries and branches to establish group wide policies and procedures that comply with UK requirements:
The regulations keep the core requirement that you must perform client due diligence before you establish a business relationship and when you identify any factors relevant to your risk assessment that have changed. These include:
You must still identify the beneficial owner and verify them (on a risk sensitive basis) but the regulations state that you can’t rely solely on Companies House registers of beneficial ownership.
There are three key changes to the CDD requirements:
Under MLR07, SDD was the default option for a defined list of entities eg. listed companies.
Instead the regulations embed SDD into the risk-based approach. You must still perform CDD but you may limit that due diligence based on whether you think simplified due diligence is appropriate. The regulations gives a list of low risk factors where SDD may be appropriate, which is similar to the list of entities in MLR07 (ie, credit or financial institutions) but also includes customers in geographical areas of lower risk.
The rules around EDD are significantly different under the regulations. There is a defined list of situations where you must apply EDD. These are:
If your risk assessment identifies that you should carry out EDD, then you must, as a minimum:
You may also choose to perform one of the following measures:
The regulations give a list of risk factors that might indicate that there is a high-risk of money laundering or terrorist financing. You should consider these when assessing if EDD might be appropriate (s.33).
The regulations require you to have procedures in place that will identify whether a client, or the beneficial owner of a client, is a PEP or a family member or known close associate of a PEP.
A family member of a PEP includes their spouse, civil partner, children and parents.
A known close associate of a PEP means:
When you identify a potential client is a PEP, you must assess the level of risk associated with your client and the extent of any EDD that you should perform on that client. As a minimum, you must:
When a client ceases to be a PEP, you must continue to apply your EDD procedures for at least 12 months (or longer if necessary to address the risk of money laundering or terrorist financing). However, if your client is a family member or known associate of a PEP, you can stop applying EDD procedures as soon as the PEP status ends.
In determining whether someone is a known close associate of a PEP, obliged entities are allowed to rely only information they already hold or that which is freely available in the public domain.
If you place reliance on the CDD of a third party, or if a third party places reliance on your CDD, you need to be aware of the changes under the regulations.
If you are relying on a third party, you must obtain all relevant information. You must also enter into a written arrangement that confirms that the firm being relied on will provide the relevant documentation immediately on request.