Legalease Home page
Money laundering regulation

 

Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017

Contents:

Introduction

Businesses subject to MLR

Supervisory authorities

Requirement to be registered

Fit and proper test

Risk assessment

Policies, controls and procedures

Training

Customer due diligence

Beneficial owner

Record keeping

Policies and procedures

Training

Enforcement

Introduction

The UK government implemented most of the provisions of the EU first anti-money laundering Directive of 1991 by making the Money Laundering Regulations 1993 (MLR 1993). These regulations came into force on 1 April 1994 and applied to banks and other credit institutions, insurance companies and investment business firms (‘relevant financial business’). These firms were required to maintain procedures for the purposes of preventing money laundering, in particular by training employees in the recognition of money laundering transactions and applying identity checking procedures and report suspicious activities to the regulatory authorities.

The MLR 1993 were modified in 2001 by the addition of bureaux de change and certain other categories of money service business. Customs and Excise were required to keep a register of money service operators.

The Money Laundering Regulations 2003 replaced the MLR 1993 amended with updated provisions which reflected the EU second anti-money laundering 2001 Directive. Additional activities were brought within the scope of the regulations included estate agency work; operating a casino, insolvency practitioners, tax adviser, accountancy and audit services, legal services relating to financial or real property transactions, company and trust formation and management services and dealing in high value goods for cash of 15,000 euro or more. The regulations also required casino operators to obtain evidence of the identity of gaming customers. Customs and Excise were required to keep a register of high value dealers.

Following the EU 2005 Directive, the UK government made the Money Laundering Regulations 2007 (MLR 2007) which replaced the 2003 Regulations with updated provisions which implemented in part the EU 2005 Directive. Identification requirements were extended to identifying the beneficial owner of corporate entities, partnerships and trusts. Customs and Excise were required to keep a register of trust and company service providers. Minor amendments to MLR 2007 were made in 2007 and 2011. Amendments were made in 2012 which among other changes excluded from the scope of MLR 2007 an undertaking which provides credit by allowing time to pay for services, where payment is made over a period of no more than 12 months, and extended the definition of ‘estate agent’ to include estate agents selling property outside the UK.

The EU Commission made a proposal for a Fourth Money Laundering Directive in February 2005 (2013/0025 (COD). This proposed a number of changes to the regime, including greater harmonisation of EU member states’ AML regulation, ensuring regulation is risk-focused, including tax crimes as predicate offences and clarifying inter-action of AML with data protection regulation. In addition, it proposed that legal entities and trusts should maintain registers of beneficial owners accessible to competent authorities and persons subject to the AML regime.

The proposal for a Fourth Money Laundering Directive was enacted the Fourth Money Laundering Directive 2015/849/EU of the European Parliament and of the Council of 20th May 2015 on the prevention of the use of the financial system for the purpose of money laundering or terrorist financing (OJ L 141, 05.06.2015, p73). The EU also enacted the Funds Transfer Regulation 2015/847/EU (“funds transfer regulation”) of the European Parliament and of the Council of 20th May 2015 on information accompanying transfers of funds (OJ L 141, 05.06.2015, p1).

 

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR) replaced the Money Laundering Regulations 2007 (SI 2007/2157) and the Transfer of Funds (Information on the Payer) Regulations 2007 (SI 2007/3298) with updated provisions that implement in part the foregoing EU legislation.

Businesses subject to MLR

The MLR apply to ‘relevant persons’: [MLR reg. 3/8] who carry on business in the UK [MLR reg. 9.: ‘Relevant persons’ is a category similar to the ‘regulated sector’ in relation to the POCA money laundering offences. They include broadly credit and financial institutions, auditors, accountants, tax advisers and insolvency practitioners, independent legal professionals, trust or company service providers, estate agents, high value dealers and licensed casinos. The MLR also apply to some extent to 'auction platforms', i.e. a platform which auctions two-day spot or five-day futures, within the meanings given by Article 3.4 and 3.5 of the emission allowance auctioning regulation.

HM Revenue & Customs have guidance for businesses on whether the Money Laundering Regulations apply to a business as well as detailed practical guidance on how to comply for businesses which are subject to the MLR.

Businesses subject to the MLR must register with the appropriate supervisory body (see Supervision and registration below) if they are not already supervised (e.g. by the FCA or a professional body). Businesses should follow the relevant supervisory body’s guidance on AML and the MLR. Following such guidance will be important in establishing a possible due diligence defence to any charge of breaching the MLR.

Supervisory authorities

The following bodies are supervisory authorities:

Financial Conduct Authority (FCA): supervisory authority for the following categories of relevant persons:

* credit and financial institutions which are authorised persons but not excluded money service businesses;

* trust or company service providers which are FCA authorised persons;

* ‘Annex I’ financial institutions, and credit unions in Northern Ireland and recognised investment exchanges;

* electronic money institutions;

* auction platforms;

Professional bodies: each of the professional bodies listed in MLR Sched.1 as below is the supervisory authority for relevant persons who are regulated by it:

* Association of Accounting Technicians;

* Association of Chartered Certified Accountants;

* Association of International Accountants;

* Association of Taxation Technicians;

* Chartered Institute of Legal Executives;

* Chartered Institute of Management Accountants;

* Chartered Institute of Public Finance and Accountancy;

* Chartered Institute of Taxation;

* Council for Licensed Conveyancers;

* Faculty of Advocates;

* Faculty Office of the Archbishop of Canterbury;

* General Council of the Bar;

* General Council of the Bar of Northern Ireland;

* Insolvency Practitioners Association;

* Institute of Certified Bookkeepers;

* Institute of Chartered Accountants in England and Wales;

* Institute of Chartered Accountants in Ireland;

* Institute of Chartered Accountants of Scotland;

* Institute of Financial Accountants;

* International Association of Book-keepers;

* Law Society;

* Law Society of Northern Ireland;

* Law Society of Scotland

Commissioners of Revenue and Customs (HMRC): supervisory authority for:

* high value dealers;

* money service businesses which are not supervised by the FCA;

* trust or company service providers which are not supervised by the FCA or one of the above professional bodies listed in Schedule 3;

* auditors, external accountants and tax advisers who are not supervised by one of the bodies listed in Schedule 3;

* bill payment service providers which are not supervised by the FCA;

* telecommunication, digital and IT payment service providers which are not supervised by the FCA;

* estate agents which are not supervised by one of the professional bodies listed in Schedule 1;

 

Requirement to be registered

The FCA is required to maintain a register of authorised persons who act or intend to act as a money service business or a trust or company service provider.

HMRC must maintain a register of relevant persons who are not on the FCA register and are a:

(a) high value dealer;

(b) money service business;

(c) trust or company service provider;

(d) bill payment service provider; or

(e) telecommunication, digital and IT payment service provider

[MLR reg. 54-55]

Unless he is registered, a person may not carry out any of the above activities.

This requirement does not apply if the person concerned has applied for registration in the register, but that application has not yet been determined.

[MLR reg. 56(1)-(2)]

Other firms which are within the 'relevant person' definition are supervised for anti-money laundering purposes by their professional body and are not subject to the above registration requirement.

Pre-exisiting registration under MLR 2007

A relevant person which is registered in the register maintained by the Commissioners under regulation 25 or 32 of the Money Laundering Regulations 2007 is to be treated as included in the appropriate registers maintained by the Commissioners under regulation 54 or 55 of the MLR 2017these Regulations for the purpose of paragraph (1):

(a) during the period of 12 months beginning with the date on which the MLR 2017 came into force [26/06/2017]; and

(b) after that period, if the person concerned has provided the additional information required for registration under regulation 57 within the above 12 month period.

[MLR reg. 56]

Fit and proper test

An applicant for registration must in effect be approved by the FCA or HMRC as the case may be as a 'fit and proper person' to carry on that business.

A person does not breach the prohibition if that person has before 26th June 2018 applied to the supervisory authority for approval and that application has not yet been determined.

[MLR reg. 58]

 

Risk assessment by relevant persons

The MLR require a relevant person to take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject. In carrying out the risk assessment, the relevant person must take into account:

(a) information made available to them by the supervisory authority under regulations 17(9) and 47, and

(b) risk factors including factors relating to—

(i) its customers;

(ii) the countries or geographic areas in which it operates;

(iii) its products or services;

(iv) its transactions; and

(v) its delivery channels.

In deciding what steps are appropriate, the relevant person must take into account the size and nature of its business.

A relevant person must keep an up-to-date record in writing of all the steps it has taken under paragraph (1), unless its supervisory authority notifies it in writing that such a record is not required.

[MLR reg. 18]

Policies, controls and procedures

A relevant person must:

(a) establish and maintain policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing identified in any risk assessment undertaken by the relevant person under regulation 18(1);

(b) regularly review and update the policies, controls and procedures established under sub-paragraph (a);

(c) maintain a record in writing of:
(i) the policies, controls and procedures established under sub-paragraph (a);
(ii) any changes to those policies, controls and procedures made as a result of the review and update required by sub-paragraph (b); and
(iii) the steps taken to communicate those policies, controls and procedures, or any changes to them, within the relevant person’s business.

The policies, controls and procedures adopted by a relevant person under paragraph (a) must be:

(a) proportionate with regard to the size and nature of the relevant person’s business, and

(b) approved by its senior management.

The policies, controls and procedures referred to in paragraph (a) must include:

(a) risk management practices;
(b) internal controls ;
(c) customer due diligence;
(d) reliance and record keeping;
(e) the monitoring and management of compliance with, and the internal communication of, such policies, controls and procedures.

(4) The policies, controls and procedures referred to in paragraph (1) must include policies, controls and procedures—

(a) which provide for the identification and scrutiny of:
(i) any case where:
(aa) a transaction is complex and unusually large, or there is an unusual pattern of transactions, and
(bb )the transaction or transactions have no apparent economic or legal purpose, and;
(ii) any other activity or situation which the relevant person regards as particularly likely by its nature to be related to money laundering or terrorist financing;


(b) which specify the taking of additional measures, where appropriate, to prevent the use for money laundering or terrorist financing of products and transactions which might favour anonymity;


(c) which ensure that when new technology is adopted by the relevant person, appropriate measures are taken in preparation for, and during, the adoption of such technology to assess and if necessary mitigate any money laundering or terrorist financing risks this new technology may cause;

(d) under which anyone in the relevant person’s organisation who knows or suspects (or has reasonable grounds for knowing or suspecting) that a person is engaged in money laundering or terrorist financing as a result of information received in the course of the business or otherwise through carrying on that business is required to comply with:
(i) Part 3 of the Terrorism Act 2000; or
(ii) Part 7 of the Proceeds of Crime Act 2002).

In determining what is appropriate or proportionate with regard to the size and nature of its business, a relevant person may take into account any guidance which has been:

(a) issued by the FCA; or

(b) issued by any other supervisory authority or appropriate body and approved by the Treasury.

The policies, controls and procedures referred to above are implemented by Legaleze as explained in this document and in the Appendices.

lnternal controls

Where appropriate with regard to the size and nature of its business, a relevant person must:

(a) appoint one individual who is a member of the board of directors as the officer responsible for the relevant person’s compliance with the MLR;

(b) carry out screening of relevant employees appointed by the relevant person, both before the appointment is made and during the course of the appointment;

(c) establish an independent audit function with the responsibility:
(i) to examine and evaluate the adequacy and effectiveness of the policies, controls and procedures adopted by the relevant person to comply with the requirements of these Regulations;
(ii) to make recommendations in relation to those policies, controls and procedures; and
(iii) to monitor the relevant person’s compliance with those recommendations.

In determining what is appropriate with regard to the size and nature of its business, a relevant person:

(a) must take into account its risk assessment under regulation 18(1); and

(b) may take into account any guidance which has been—
(i) issued by the FCA; or
(ii) issued by any other supervisory authority or appropriate body and approved by the Treasury.

A relevant person must establish and maintain systems which enable it to respond fully and rapidly to enquiries from any authorised person as to:

(a) whether it maintains, or has maintained during the previous five years, a business relationship with any person; and

(b  )the nature of that relationship.

Training

A relevant person must:

(a) take appropriate measures to ensure that its relevant employees” are:
(i) made aware of the law relating to money laundering and terrorist financing, and to the requirements of data protection, which are relevant to the implementation of the MLR;
(ii) regularly given training in how to recognise and deal with transactions and other activities or situations which may be related to money laundering or terrorist financing;

(b) maintain a record in writing of the measures taken under sub-paragraph (a), and in particular, of the training given to its relevant employees.


In determining what measures are appropriate a relevant person:

(a) must take account of:
(i) the nature of its business;
(ii) its size;
(iii) the nature and extent of the risks of money laundering and terrorist financing to which its business is subject; and

(b) may take into account any guidance which has been:
(i) issued by the FCA; or
(ii) issued by any other supervisory authority or appropriate body and approved by the Treasury.

 

Customer Due Diligence

A relevant person must apply ‘customer due diligence measures’ (CDD) when he:

* establishes a ‘business relationship’ (i.e. a business, professional or commercial relationship with a customer, which is expected by the relevant person, at the time when contact is established, to have an element of duration);

* carries out an ‘occasional transaction’ (i.e. a transaction amounting to 15,000 euro or more, whether the transaction is carried out in a single operation or several operations which appear to be linked);

* suspects money laundering or terrorist financing;

* doubts the veracity or adequacy of documents, data or information previously obtained for the purposes of identification or verification.

Special rules apply to CDD in relation to high value dealers and casinos.

CDD must be applied at other appropriate times to existing customers on a risk-sensitive basis.

A relevant person must determine the extent of CDD on a risk-sensitive basis depending on the type of customer, business relationship, product or transaction. He must also be able to demonstrate to his supervisory authority that the extent of the measures is appropriate in view of the risks of money laundering and terrorist financing.

Customer due diligence measures consist of:

* identifying the customer and verifying the customer's identity on the basis of documents, data or information obtained from a reliable and independent source;

* identifying, where there is a beneficial owner who is not the customer, the beneficial owner and taking adequate measures, on a risk-sensitive basis, to verify his identity so that the relevant person is satisfied that he knows who the beneficial owner is, including, in the case of a legal person, trust or similar legal arrangement, measures to understand the ownership and control structure of the person, trust or arrangement; and

* obtaining information on the purpose and intended nature of the business relationship.

[MLR reg.27]:

Beneficial owner

In the case of a legal entity, a ‘beneficial owner’ means any individual who:

* ultimately owns or controls (directly or indirectly) more than 25% of the shares or voting rights in the entity (except in the case of a company whose securities are listed on a regulated market), or

* otherwise exercises control over the management of the entity.

A similar test applies to partnerships. Special rules apply in the case of a trust. In any case not specifically covered, beneficial owner means the individual who ultimately owns or controls the customer or on whose behalf a transaction is being conducted.

[MLR reg. 5]

In the case of a trust, the settlor; trustees, beneficiaries and any individual who has control over the trust are treated as the beneficial owner.

[MLR reg. 6]

Comment: ‘Customer due diligence’ was formerly known and often still is called ‘Know Your Client’ (KYC). While the basic aim of the customer due diligence regulations is understandable, they are often a source of inconvenience and annoyance to customers, and burdensome for firms to operate. This is so particularly in cases where the customer is a legal entity in a group or owned by offshore or multiple shareholders.

Requirement to cease transactions

If a relevant person is unable to apply customer due diligence measures, he must:(subject to certain exceptions):

(a) not carry out any transaction through a bank account with the customer or on behalf of the customer;

(b) not establish a business relationship or carry out a transaction with the customer otherwise than through a bank account;

(c) terminate any existing business relationship with the customer;

(d) consider whether the relevant person is required to make a disclosure (or to make further disclosure) by Part 3 of the Terrorism Act 2000 or Part 7 of the Proceeds of Crime Act 2002.

[MLR reg. 31]

Ongoing monitoring

A relevant person must conduct ongoing monitoring of a business relationship, including:

(a) scrutiny of transactions undertaken throughout the course of the relationship (including, where necessary, the source of funds) to ensure that the transactions are consistent with the relevant person's knowledge of the customer, the customer's business and risk profile;

(b) undertaking reviews of existing records and keeping the documents or information obtained for the purpose of applying customer due diligence measures up-to-date.

[]MLR reg. 28(11)]

Enhanced customer due diligence and ongoing monitoring

A relevant person must apply enhanced customer due diligence measures (CDD) and enhanced ongoing monitoring in certain cases including:

* any case identified as one where there is a high risk of money laundering or terrorist financing;

* in any business relationship or transaction with a person established in a high-risk third country;

* if a relevant person has determined that a customer or potential customer is a Politically Exposed Person (PEP) (see below), or a family member or known close associate of a PEP;

* in any case where the relevant person discovers that a customer has provided false or stolen identification documentation;

* in any case where a transaction is complex and unusually large, or there is an unusual pattern of transactions, and the transaction or transactions have no apparent economic or legal purpose, and

* in any other case which by its nature can present a higher risk of money laundering or terrorist financing.

Relationship with PEPs

A relevant person who proposes to have a business relationship or carry out an occasional transaction (as defined in the MLR - see above) with a ‘politically exposed person’ (see below) must:

* have approval from senior management for establishing the business relationship with that person;

* take adequate measures to establish the source of wealth and source of funds which are involved in the proposed business relationship or occasional transaction; and

* where the business relationship is entered into, conduct enhanced ongoing monitoring of the relationship.

Where the customer has not been physically present for identification purposes, a relevant person must take specific and adequate measures to compensate for the higher risk, for example, by applying one or more of the following measures:

* ensuring that the customer's identity is established by additional documents, data or information;

* supplementary measures to verify or certify the documents supplied, or requiring confirmatory certification by a credit or financial institution which is subject to the money laundering directive;

* ensuring that the first payment is carried out through an account opened in the customer's name with a credit institution.

[MLR reg. 33]

‘Politically exposed person’ (PEP)

PEPs are individuals who are or have been entrusted with prominent public functions including the following:

* heads of state, heads of government, ministers and deputy or assistant ministers;

* members of parliaments or similar bodies;

* members of supreme courts, of constitutional courts or of other high-level judicial bodies whose decisions are not generally subject to further appeal;

* members of courts of auditors or of the boards of central banks;

* ambassadors, chargés d'affaires;

* high-ranking officers in the armed forces; and

* members of the administrative, management or supervisory bodies of state-owned enterprises.

Middle-ranking or more junior officials are excluded from the above categories.

Immediate family members of a PEP are also included; these are: a PEP’s spouse, partner, children and their spouses or partners and parents.

Also included are persons known to be close business associates of the PEP. In this case, the relevant person who is carrying out the CDD need only have regard to information which is in his possession or is publicly known.

[MLR reg. 35]

Banks and credit institutions

Special rules apply for banks and credit institutions.

Simplified customer due diligence

A relevant person may apply simplified customer due diligence measures in relation to a particular business relationship or transaction if it determines that the business relationship or transaction presents a low degree of risk of money laundering and terrorist financing, having taken into account:

* the risk assessment it carried out;

* relevant information made available to it by a supervisory body;

* certain spefcified customer, product and geographical risk factors..

Where a relevant person applies simplified customer due diligence measures, it must:

* continue to comply with CDD requirements but may adjust the extent, timing or type of the measures it undertakes under that regulation to reflect its determination of the risk factors;

* carry out sufficient monitoring of any business relationships or transactions which are subject to those measures to enable it to detect any unusual or suspicious transactions.

[MLR reg. 37]

Record keeping

A relevant person must keep the following records for at least five years from the date the business relationship ends or the occasional transaction is completed:

* copies of or the references to, the evidence of the customers’ identities as part of CDD;

* supporting records (original documents or copies) relating to the business relationship or occasional transaction which is the subject of CDD or ongoing monitoring.

[MLR reg. 39]

Enforcement

Civil enforcement

Enforcement of the MLR on persons not supervised by the FCA or HMRC will depend on the rules of the relevant body.

Civil penalties: in respect of persons supervised by the FCA or HMRC (the Authority), the Authority may impose a penalty of such amount as it considers appropriate on a person who fails to comply with [most of] the MLR requirements. ‘Appropriate’ means effective, proportionate and dissuasive. No penalty may be imposed on a person where there are reasonable grounds for it to be satisfied that the person took all reasonable steps and exercised all due diligence to ensure that the requirement would be complied with.

In deciding whether a person has failed to comply with an MLR requirement, the Authority must consider whether he followed any relevant guidance issued by the supervisor or the Treasury.

[MLR reg. 76]

A supervisory authority may impose a temporary or permanent prohibition on the individual concerned holding an office or position involving responsibility for taking decisions about the management of a relevant person or a payment service provider.

[MLR reg. 78]

Appeal and review: a person may appeal a decision of HMRC under:

* regulation 28, to the effect that a person is not a fit and proper person;

* regulation 29, to refuse to register an applicant;

* regulation 30, to cancel the registration of a registered person; and

* regulation 42, to impose a penalty.

Information gathering and search powers: supervisory authorities and their authorised officers have certain powers to require information, copies of documents and to enter premises in certain circumstances [MLR regs. 37-41].

Cases  on enforcement of civil penalties:

Clarke & Co v Commissioners For Her Majesty’s Revenue & Customs
[2012] UKFTT 300 (TC) 3 May 2012


Mr Clarke, the proprietor of Clarke & Co, failed to register as a tax advisor or external accountant in the period between 1 January 2009 and February 2011. HMRC imposed on him a penalty of £737.91 for the failure. The penalty of £737.91 imposed by HMRC was calculated by aggregating two amounts: an amount of £237.91 representing the registration fee which Mr. Clarke would have paid in respect of the period between 1 January 2009 and 30 January 2011 had he been registered, and £500 which HMRC regarded as an appropriate penalty for a prompted disclosure of a failure to comply with the regulations.


On appeal, the First-tier Tribunal took into account a nine month period in which Mr Clarke's ill-health effectively prevented him from paying attention to his business. The Tribunal therefore reduced the element of the penalty by £82 and assessed the appropriate penalty at £555.91.

03/10/2012: Estate agent loses Tribunal appeal against £3,000 OFT fine

 The OFT has ‘welcomed’ the decision of the First-Tier Tribunal to dismiss the appeal by a Sussex-based estate agent against a fine imposed by the OFT for failing to register with the OFT under the Anti-Money Laundering Regulations (AML). Mansell McTaggart Limited was fined £3,000 by the OFT. The Tribunal found that the penalty imposed in this case was appropriate. Mansell McTaggart Limited has now registered.

Criminal enforcement

Offences: non-compliance with the MLR requirements is an offence and punishable on conviction on indictment to imprisonment for a term not exceeding two years, to a fine or to both.

In deciding whether a person has committed an offence, the court must consider whether he followed any relevant guidance issued by a supervisory authority or any other appropriate body. There is a due diligence defence and provision for Director’s criminal liability.

[Page updated: 22/02/2018]

 

<Back to Money laundering regulation