Money Laundering Regulations 2017

The CCAB has published its AML guidance for the accountancy sector. This guidance has been updated for the 2017 Regulations and approved by HM Treasury. It is for all entities providing audit, accountancy, tax advisory, insolvency or related services, such as trust and company services, by way of business.

Whole firm risk assessment (s.18)

Identifying and assessing risk was an important theme running through Money Laundering Regulations 2007 (MLR07) and firms were encouraged to assess the risks faced by the business, as well as the risk that clients would be involved in money laundering or terrorist financing.

The regulations set out a more prescriptive approach to this firm-wide risk assessment. There is a requirement for a written risk assessment and a list of factors that you must take into account.

These are:

• information provided by ICAEW, as your Supervisory Authority on risk factors in the sector;
• your customers;
• the countries or geographic areas in which you operate;
• your products or services;
• your transactions; and
• your delivery channels.

You can continue to use Chapter 4 of the CCAB guidance (Tech 04/08) to help you perform your risk assessment. This chapter encourages you to design the nature and extent of your AML procedures based on:

• the nature, scale, complexity and diversity of your business;
• the geographical spread of your client operations, including any local AML regimes that apply; and
• the extent to which operations are linked to other organisations (such as networking businesses, agencies or outsourcing suppliers).

The regulations accept that the nature of the risk assessment will depend on the size and nature of your firm. The overall risk assessment of a small firm may be quite succinct – the most important part is that you properly identify and assess the risk of money laundering or terrorist financing and that your assessment is documented.

During 2018, we may perform a themed review of firm-wide AML risk assessments. From this review, we can identify areas that firms may find difficult and provide feedback and guidance. In order to do this, we may ask a sample of firms to submit their risk assessment to us.

Internal controls – officer responsible for compliance (s.21a)

Firms must now appoint a money laundering compliance principal (MLCP) and that individual must be on the board of directors (or equivalent management body), or a member of senior management, where appropriate to the size and nature of the business. Sole practitioners with no employees are exempt from this requirement.

Firms must also appoint a nominated officer (i.e, the individual nominated to receive internal suspicious activity reports and who assesses whether a suspicious activity report should be made to the National Crime Agency (NCA)).

All firms currently have an MLRO under MLR07, where this person is sufficiently senior then they can act as MLCP and nominated officer.

If the MLRO is not sufficiently senior and an MLCP must be appointed, the MLCP’s name must be communicated to ICAEW within 14 days of first appointment.

Please visit your guide to maintaining your firm's record for more information about how to notify us of this appointment.

However, ICAEW will presume that the MLCP is the same individual as the firm’s registered MLRO unless the firm informs us otherwise.

Internal controls - screening of relevant employees (s.21b)

Where appropriate to the size and nature of the business, firms must now assess the skills, knowledge, conduct and integrity of those employees who are involved in identifying, mitigating, preventing or detecting money laundering and terrorist financing in the course of business. This includes those staff whose work is relevant to compliance with the regulations.

You will already assess your staff for competence, conduct and integrity. You must now make sure that these assessments include money laundering.

You must also regularly train your staff in how to recognise and deal with transactions and other activities which may be related to money laundering or terrorist financing.

Internal controls - independent audit function (s.21c)

The regulations say that firms must establish an independent audit function to assess the adequacy and effectiveness of the firms AML policies, controls and procedures. Sole practitioners with no employees are exempt from this requirement.

You should already be performing a money laundering compliance review, which we believe addresses the requirement for an independent audit function. You should make sure that your Money Laundering Compliance Principal is responsible for performing this review. You should perform a compliance review regularly and where you identify any recommendations, you must monitor the firm’s compliance with these recommendations.

Policies, controls and procedures: (s.19 and s.20)

MLR07 required firms to have policies, controls and procedures to prevent activities related to money laundering and terrorist financing, as well as data protection requirements. A written record of training must be maintained.

The regulations build on these by requiring you to document these policies, controls and procedures and that your senior management approves them.

There is also a new requirement for firms with overseas subsidiaries and branches to establish group wide policies and procedures that comply with UK requirements:

• If you have a subsidiary or branch that operates in an EEA state, you must make sure that the subsidiary or branch complies with the money laundering laws of that state.
• If you have a subsidiary or branch that operates outside of the EEA, then you must make sure that the subsidiary or branch complies with the UK regulations. Where this is not possible because of local legislation you must inform ICAEW and implement additional procedures to address the money laundering risk.

Client due diligence (CDD)

The regulations keep the core requirement that you must perform client due diligence before you establish a business relationship and when you identify any factors relevant to your risk assessment that have changed. These include:

• your client’s identity has changed;
• you have identified a transaction that isn’t consistent with your knowledge of your client; or
• the services you are providing to your client have changed.

You must still identify the beneficial owner and verify them (on a risk sensitive basis) but the regulations state that you can’t rely solely on Companies House registers of beneficial ownership.

There are three key changes to the CDD requirements:

• You must now also complete CDD where you only perform company formation services, even if that service is a one-off service for that client. (s.4(2))
• You must also identify and verify the identity of a person purporting to act on behalf of your client.
• You must obtain and verify the name of the body corporate, its registration number, its registered address, and principal place of business. You must also take reasonable measures to determine and verify the law to which it is subject, its constitution (set out in governing documents) and the names of the board of directors and its senior management. (s.28(3))

Simplified Due Diligence (SDD) (s.37)

Under MLR07, SDD was the default option for a defined list of entities eg. listed companies.

Instead the regulations embed SDD into the risk-based approach. You must still perform CDD but you may limit that due diligence based on whether you think simplified due diligence is appropriate. The regulations gives a list of low risk factors where SDD may be appropriate, which is similar to the list of entities in MLR07 (ie, credit or financial institutions) but also includes customers in geographical areas of lower risk.

Enhanced Due Diligence (EDD) (s.33)

The rules around EDD are significantly different under the regulations. There is a defined list of situations where you must apply EDD. These are:

• where there is a high risk of money laundering or terrorist financing;
• in any business relationship with a client established in a high-risk country;
• if the client is a Politically Exposed Person (PEP), or a family member or known close associate of a PEP;
• in any case where the client has provided false or stolen identification documentation or information on establishing a relationship;
• in cases where you identify that the client has entered into transactions that are complex and unusually large, or there is an unusual pattern of transactions, and the transaction or transactions have no apparent economic or legal purpose

If your risk assessment identifies that you should carry out EDD, then you must, as a minimum:

• as far as reasonably possible, understand the background and purpose of the transaction, and
• increase the degree and nature of monitoring of the business relationship to determine whether the transaction or your business relationship are suspicious.

You may also choose to perform one of the following measures:

• seek additional independent, reliable sources to verify information the client has provided to you;
• take additional measures to understand better the background, ownership and financial situation of your client, and other parties to the transaction;
• take further steps satisfy yourself that the transaction is consistent with the purpose and intended nature of the business relationship; or
• increase your monitoring of the business relationship, including greater scrutiny of transactions.

The regulations give a list of risk factors that might indicate that there is a high-risk of money laundering or terrorist financing. You should consider these when assessing if EDD might be appropriate (s.33).

Customer risk factors

• the business relationship is conducted in unusual circumstances
• the customer is resident in a geographical area considered to be an area of high risk
• the customer is a legal person or arrangement that is a vehicle for holding personal assets
• the customer is a company that has nominee shareholders or bearer shares
• the customer is a business that is cash intensive
• the corporate structure of the customer is unusual or excessively complex given the nature of the company’s business

Product, service, transaction or delivery channel risk factors

• the product involves private banking
• the product or transaction is one which might favour anonymity
• the situation involves non-face-to-face business relationships or transactions, without certain safeguards, such as electronic signatures
• payments will be received from unknown or unassociated third parties
• new products and new business practices are involved, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products
• the service involves the provision of nominee directors, nominee shareholders or shadow directors, or the formation of companies in third countries

Geographical risk factors

• countries identified by credible sources, such as mutual evaluations, detailed assessment reports or published follow-up reports, as not having effective systems to counter money laundering and terrorist financing
• countries identified by credible sources as having significant levels of corruption or other criminal activity
• countries subject to sanctions, embargoes or similar measures issued by, for example, the European Union or the United Nations
• countries providing funding or support for terrorism
• countries that have organisations designated by the UK, the EU or other countries/international organisations as terrorist organisations

Politically exposed persons (PEP)

The regulations require you to have procedures in place that will identify whether a client, or the beneficial owner of a client, is a PEP or a family member or known close associate of a PEP.

A family member of a PEP includes their spouse, civil partner, children and parents.

A known close associate of a PEP means:

• an individual known to have joint beneficial ownership of a legal entity or a legal arrangement or any other close business relations with a PEP
• an individual who has sole beneficial ownership of a legal entity or a legal arrangement which is known to have been set up for the benefit of a PEP;

When you identify a potential client is a PEP, you must assess the level of risk associated with your client and the extent of any EDD that you should perform on that client. As a minimum, you must:

• obtain senior management approval for the relationship;
• take adequate measures to establish the source of wealth and funds; and
• perform enhanced ongoing monitoring of the relationship.

When a client ceases to be a PEP, you must continue to apply your EDD procedures for at least 12 months (or longer if necessary to address the risk of money laundering or terrorist financing). However, if your client is a family member or known associate of a PEP, you can stop applying EDD procedures as soon as the PEP status ends.

In determining whether someone is a known close associate of a PEP, obliged entities are allowed to rely only information they already hold or that which is freely available in the public domain.

• FCA have also published guidance on the treatment of PEPs

Reliance on third parties (s.39)

If you place reliance on the CDD of a third party, or if a third party places reliance on your CDD, you need to be aware of the changes under the regulations.

If you are relying on a third party, you must obtain all relevant information. You must also enter into a written arrangement that confirms that the firm being relied on will provide the relevant documentation immediately on request.