DWF logo


DWF logo

            Fourth Money Laundering Directive

            The Money Laundering Regulations 2017 (“MLR 2017“) are yet to be finalised but are due to take effect on 26 June 2017. The MLR 2017 will implement several changes, particularly to risk management.

            Date: 18/05/2017

            The Joint Money Laundering Steering Group, an industry recognised body that provides guidance for firms on AML compliance, has issued its Guidance on compliance with MLR 2017. Compliance with JMLSG’s Guidance is generally regarded as compliance with AML requirements. We await the finalised updated Guidance from JMLSG but have seen their draft proposed revised guidance.

            Key Changes under MLR 2017

            MLR 2017 will incorporate the MLR 2007.  The key changes include:

            • requirement of a risk assessment;
            • widening the definition of “Politically Exposed Persons”;
            • additional provisions regarding policies and supervision;
            • changes to CDD requirements;
            • confirmation of data protection/record keeping requirements; and
            • changes to reporting requirements.

            Risk Assessments and Policies:

            Whereas the MLR 2007 required firms to keep policies relating to risk assessment and due diligence, MLR 2017 is more prescriptive. The MLR advocates a “risk based approach” to AML/TF policy.

            As such, firms (if they are not already) must carry out a written risk assessment to identity and assess AML risks (Regulation 18(1)). This risk assessment must be documented, kept up to date (Regulation 18(4)) and made available to the FCA on request (Regulation 18(5) and (6)).

            The risk assessment will be the foundation of a firm’s AML/TF policy. Firms should take into account:

            • the customer;
            • geographical location of the transaction;
            • the product/service offered;
            • the delivery channel (Regulation 18(2)); and
            • the size and nature of the business (Regulation 18(3)).

            The current JMLSG’s draft Guidance (Part 1) indicates a risk assessment may not need to be especially complex; this would be the case where the FCA considers the risks are clear and understood, or where the risks are not essentially complex.

            Policies, Controls and PEPs

            MLR 2017 is more prescriptive here too.

            Regulation 19(1) obliges firms to establish and maintain policies managing money laundering risks identified in the risk assessment, and keep a written record of them. These must be proportionate to the size and nature of the business.

            Policies must be approved by “Senior Management” (Regulation 19(2)). Senior Management is defined as “an officer or employee with sufficient authority to make decisions and knowledge of money laundering risks”.

            Group Policy:

            MLR 2017 has additional provisions concerning “group company policy” (Regulation 20). Essentially under these provisions, a parent company should ensure its AML policies apply to all subsidiaries (UK and non-UK based).

            Where there are subsidiaries and branches in the EEA, the parent must ensure that these offices follow the local AML laws and at the very apply measures equivalent to those in the UK.

            Internal Controls:

            MLR 2017 contains further provisions in respect to “internal controls” (Regulation 21). Firms will be required to:

            • appoint a board member (or equivalent management body) to be responsible for MLR 2017 compliance;
            • regularly the assess the suitability of the aforementioned appointed employee to the role; and
            • establish some form of independent audit function regards AML policies.


            When considering AML policies, firms should now be aware that the definition of PEPs is widened under MLR 2017, to include local PEPs and foreign PEPs (Regulation 35(12)).

            As a result, firms will need to conduct enhanced due diligence for a broader range of individuals who hold prominent public functions both in the UK and overseas.

            Customer Due Diligence (CDD)

            As per the existing provisions, MLR 2017 provides that firms will need to:

            • carry out CDD on new customers (Regulation 27(1));
            • identify the customer (if not already known) and verify their identity from documents provided by the customer, or from a reliable independent source (Regulation 29);
            • conduct CDD before the start of the business relationship/before completion (Regulation 30(1)) (there are exceptions if it would otherwise disrupt the normal conduct of business).

            The automatic application of simplified CDD in certain circumstances has been removed. Instead a firm will need to consider the risk factors in deciding whether it is appropriate.

            There is no specific reference in MLR 2017 as to how CDD should be carried out.

            Considerations for Firms – the rise of electronic evidence:

            The rise of electronic transactions has naturally led to greater use of electronic verification of identity, using an electronic/digital source. Electronic verification may be carried out by the firm or through an organisation. The JMLSG advises that firms should be aware of the risks of impersonation in electronic transactions, and advises on additional verification checks in such cases.

            Record Keeping

            Firms are required to keep record of the identity and verification data of a customer for 5 years (Regulation 39(3)).

            The five year period begins when a firm will have reasonable grounds to believe that:

            • the transaction is complete, for records, documents or information relating to an occasional transaction; or
            • the business relationship has come to an end.

            After the expiry of the five year period, such data must be deleted unless there is a legal requirement to keep it or the data subject has expressly consented.

            What Should Firms be Doing

            Whilst the changes introduced by MLR 2017 are not wholesale, at the very least firms should:

            • ensure risk assessments are carried out;
            • revise policies and procedures, taking into account the risk assessment and the JMLSG guidance;
            • appoint appropriate persons to manage AML/TF policy; and
            • review CDD policies, ensuring they are fit for purpose and up to date.

            We use cookies to give you the best user experience on our website. Please let us know if you accept our use of cookies.

            Learn More

            Your Privacy

            When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. We mainly use this information to ensure the site works as you expect it to, and to learn how we can improve the experience in the future. The information does not usually directly identify you, but it can give you a more personalised web experience.
            Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change permissions. However, blocking some types of cookies may prevent certain site functionality from working as expected

            Functional cookies


            These cookies let you use the website and are required for the website to function as expected.

            These cookies are required

            Tracking cookies

            Anonymous cookies that help us understand the performance of our website and how we can improve the website experience for our users. Some of these may be set by third parties we trust, such as Google Analytics.

            They may also be used to personalise your experience on our website by remembering your preferences and settings.

            Marketing cookies

            These cookies are used to improve and personalise your experience with our brands. We may use these cookies to show adverts for our products, or measure the performance of our adverts.