The Joint Money Laundering Steering Group, an industry recognised body that provides guidance for firms on AML compliance, has issued its Guidance on compliance with MLR 2017. Compliance with JMLSG’s Guidance is generally regarded as compliance with AML requirements. We await the finalised updated Guidance from JMLSG but have seen their draft proposed revised guidance.
MLR 2017 will incorporate the MLR 2007. The key changes include:
Whereas the MLR 2007 required firms to keep policies relating to risk assessment and due diligence, MLR 2017 is more prescriptive. The MLR advocates a “risk based approach” to AML/TF policy.
As such, firms (if they are not already) must carry out a written risk assessment to identity and assess AML risks (Regulation 18(1)). This risk assessment must be documented, kept up to date (Regulation 18(4)) and made available to the FCA on request (Regulation 18(5) and (6)).
The risk assessment will be the foundation of a firm’s AML/TF policy. Firms should take into account:
The current JMLSG’s draft Guidance (Part 1) indicates a risk assessment may not need to be especially complex; this would be the case where the FCA considers the risks are clear and understood, or where the risks are not essentially complex.
MLR 2017 is more prescriptive here too.
Regulation 19(1) obliges firms to establish and maintain policies managing money laundering risks identified in the risk assessment, and keep a written record of them. These must be proportionate to the size and nature of the business.
Policies must be approved by “Senior Management” (Regulation 19(2)). Senior Management is defined as “an officer or employee with sufficient authority to make decisions and knowledge of money laundering risks”.
MLR 2017 has additional provisions concerning “group company policy” (Regulation 20). Essentially under these provisions, a parent company should ensure its AML policies apply to all subsidiaries (UK and non-UK based).
Where there are subsidiaries and branches in the EEA, the parent must ensure that these offices follow the local AML laws and at the very apply measures equivalent to those in the UK.
MLR 2017 contains further provisions in respect to “internal controls” (Regulation 21). Firms will be required to:
When considering AML policies, firms should now be aware that the definition of PEPs is widened under MLR 2017, to include local PEPs and foreign PEPs (Regulation 35(12)).
As a result, firms will need to conduct enhanced due diligence for a broader range of individuals who hold prominent public functions both in the UK and overseas.
As per the existing provisions, MLR 2017 provides that firms will need to:
The automatic application of simplified CDD in certain circumstances has been removed. Instead a firm will need to consider the risk factors in deciding whether it is appropriate.
There is no specific reference in MLR 2017 as to how CDD should be carried out.
Considerations for Firms – the rise of electronic evidence:
The rise of electronic transactions has naturally led to greater use of electronic verification of identity, using an electronic/digital source. Electronic verification may be carried out by the firm or through an organisation. The JMLSG advises that firms should be aware of the risks of impersonation in electronic transactions, and advises on additional verification checks in such cases.
Firms are required to keep record of the identity and verification data of a customer for 5 years (Regulation 39(3)).
The five year period begins when a firm will have reasonable grounds to believe that:
After the expiry of the five year period, such data must be deleted unless there is a legal requirement to keep it or the data subject has expressly consented.
Whilst the changes introduced by MLR 2017 are not wholesale, at the very least firms should: