Consultation on Money Laundering Regulations 2017 17/4
10th May 2017
Money Laundering regulations: 2017 (Consultation)
The government consultation on how it intends to implement the Fourth Money Laundering Directive (‘4MLD’ or ‘the directive’) and its accompanying Fund Transfer Regulation (FTR) has now ended. In a document entitled ‘Money Laundering Regulations 2017: Consultation’, the government has clarified the policy direction it intends to take in transposing these new regulations on money laundering into domestic policy.
A number of changes have been made, utilising a risk-based approach, that will effect relevant businesses. Noteworthy key decisions following the consultation are the following:
- a requirement for Her Majesty’s Revenue and Customs (HMRC) to act as the registry authority for all trust and company service providers (TCSP), who are not registered by HMRC themselves or the Financial Conduct Authority (FCA)
- an extension of the fit and proper test to agents of money service businesses (MSBs), which will be carried out by HMRC
- retaining letting agents within the scope of the new regulations where they carry out estate agency work within section 1 of the Estate Agents Act 1979 (as amended)
- the exemption of all gambling service providers from the requirements of the directive, except remote and non-remote casinos
- a decision not to allow pooled client accounts to be automatically subject to simplified due diligence, but instead for this to be applied on a risk based approach
The regulations at a glance:
Increased turnover threshold to £100,000
The government has clarified that in cases where there is little risk of money laundering or terrorist financing, some businesses may be exempt from coverage by 4MLD. The threshold of £100,000 turnover has therefore been set. The vast majority of respondents to the consultation found this figure agreeable.
Changes to due diligence requirements
Obliged entities falling within the scope of the directive will need to apply different levels of due diligence measures to manage the risk of money laundering and terrorist financing. This may entail either customer due diligence (CDD), simplified due diligence (SDD) or enhanced due diligence (EDD).
In its draft regulations, the government has delineated general factors under which CDD will be applicable. This was on the basis that firms and supervisors can best understand their individual and sector risk profiles, that the factors affecting risk will vary by sector and that too much prescription in legislation may lead to a “tick-box” approach. More detailed examples of sector-specific risk factors are expected to be set out in sector-specific guidance.
Previous Money Laundering Regulations (2007) provide threshold values for CDD in euros (directly from the directive) as opposed to pounds sterling. The government has confirmed it will continue this approach in the updated Money Laundering Regulations.
One-off company formation
Taking heed of the National Risk Assessment (NRA), the government has set out in the new regulations that when a trust or company service provider (TCSP) is asked to form a company, this is to be treated as a business relationship whether or not the formation is the only transaction being carried out for that customer.
This means that TCSPs now have confirmation that one-off company formations may be considered a risk indicator of suspicious activity.
Simplified Customer Due Diligence (SDD)
In terms of SDD, the government has decided to include a non-exhaustive list of factors in the new regulations, in line with its risk-based approach. These include considering types of customers, geographic areas, and particular products, services, transactions or delivery channels. More detailed examples are expected to be set out in forthcoming sector specific guidance.
Pooled Client Accounts
The government’s view is that Pooled Client Accounts (PCAs) should not automatically be subject to SDD, but rather on a risk-based approach. PCAs have therefore been included in the new regulations on that basis.
Reliance on Third Parties for CDD
With a view to tackling the barriers to firms relying on third parties for customer due diligence, the government has included a reference to “at the latest within two working days” for the third party to produce these documents. Obliged entities, though able to use an outsourcing provider, will continue to be fundamentally liable in ensuring that CDD requirements are met.
4MLD limits the circumstances under which e-money issuers can be exempted from CDD based on an appropriate risk assessment that demonstrates a low risk, and where all of the following risk-mitigating conditions are met:
- the payment instrument is not reloadable, or has a maximum monthly payment transaction limit of €250, and can be used only in that member state
- the maximum amount stored electronically does not exceed €250
- the payment instrument is used exclusively to purchase goods or services
- the issuer carries out sufficient monitoring of the transaction or business relationship to enable the detection of unusual or suspicious transactions
The maximum electronic storage limit may be increased to a maximum of €500 for payment instruments that can be used only in that member state. In addition, no more than €100 can be redeemed in cash from an e-money instrument.
The NRA identified e-money products as medium risk for money laundering and low risk for terrorist financing. The government views the limits set out under the 4MLD as sufficiently high to mitigate the ML/TF risk, and that exemptions should therefore be applied. More detailed sectoral guidance should set out the risk-based circumstances in which SDD could apply in other circumstances, in line with the European Supervisory Authority (ESA) guidelines.
FATF considers correspondent banking to be high risk as reflected in the Joint Money Laundering Steering Group (JMLSG) guidance. The current approach taken requires financial and credit institutions engaged in cross-border correspondent relationships with a third country respondent institution to conduct enhanced due diligence. These requirements include: gathering sufficient information about the respondent to understand fully the nature of its business; determining from publicly-available information the reputation of the respondent and the quality of its supervision; assessing the respondent’s AML/CTF controls; obtaining approval from senior management before establishing a new correspondent relationship; and documenting the respective responsibilities of the respondent and correspondent.
These measures are additional to the CDD requirements which include requirements to: identify the customer and verify the customer’s identity; assess, and where appropriate obtain information on, the purpose and intended nature of the business relationship; identify the beneficial owner, take reasonable measures to verify the identity of the beneficial owner and, if the beneficial owner is a legal person, trust, company, foundation or similar legal arrangement, take reasonable measures to understand the ownership and control structure of that legal person, trust, company, foundation or legal arrangement; and, conduct ongoing monitoring of the business relationship. When performing these measures, credit and financial institutions must also verify that any person purporting to act on behalf of the respondent is so authorised to identify and verify the identity of that person.
The MLRs prohibit credit institutions from doing business with a shell bank. The directive goes further by also prohibiting credit and financial institutions from doing business with a respondent bank that is known to allow its accounts to be used by a shell bank.
Politically Exposed Persons
Some firms said they were already distinguishing between low and high-risk PEPs and tailoring their EDD measures accordingly. EDD is a sliding scale and it is right that low-risk PEPs should be treated at the lowest level, just as it is right for high-risk customers to face more stringent measures. Firms should assess the risk posed by each customer and they should not form judgements based solely on anyone’s status as a PEP.
Once a PEP ceases to be entrusted with a prominent public function, obliged entities must continue to perform EDD for at least 12 months. However, firms are no longer required to apply EDD in relation to the family members or known close associates of a former PEP.
Respondents raised concern about the disproportionate treatment of the family members and known close associates of PEPs by certain financial institutions. The government strongly supports a proportionate and sensible approach to the application of EDD.
Respondents suggested that firms could look at a wide range of factors when evaluating the risk posed by each customer and determining the extent of EDD, including:
- the value and nature of the product in question
- the individual’s prominence in public life, their level of influence within their organisation and their ability to directly access or control public or party funds. These criteria should be incorporated into the risk assessment for family members and known close associates, as well as the assessment for PEPs themselves
- whether they are already subject to disclosure requirements, such as registers of interests or independent oversight of their expenseswhether any other statutory checks or controls are in place to ensure their funds are handled appropriately
- in the case of PEPs who are affiliated with a political party, whether they are associated with the local branch of their party or the national one; whether their party has elected any members to the UK Parliament, a devolved legislature or the European Parliament; and whether they are subject to a reporting regime, such as one established under the Political Parties, Elections and Referendums Act 2000
- the levels of risk posed by the country that entrusted them with their prominent public function and the country in which they residewhether they are still performing their prominent public function or have retired in the preceding 12 months
- the tone of recent publicity about them.
Article 30 of the directive has two main requirements: that EU member states hold adequate, accurate and current information on the beneficial ownership of corporate and other legal entities incorporated within their territory in a central register; and that such information should be made available to specific authorities, organisations and those with a legitimate interest across the EU.
The UK has already legislated to require transparency of the beneficial ownership of UK companies, Limited Liability Partnerships and Societates Europaeae. The obligation on these entities to maintain a register of people with significant control (“PSC register”) and provide this to the UK registrar of companies (“Companies House”) was put in place through the Small Business, Enterprise and Employment Act 2015, and a subsequent suite of regulations in March 2016.
Article 31 requires the trustees of any express trust to hold adequate, accurate and up-to-date information on the beneficial ownership of their trust. They must make this information available to law enforcement and the UK Financial Intelligence Unit (UKFIU). They must also disclose to HMRC their status as a trustee when entering into business relationships or conducting transactions in their capacity as a trustee. HMRC plans to launch its register in summer 2017 as an online service.
Article 31 is clear that any express trust with tax consequences will need to be registered, irrespective of its function. In this context, investment trusts are not the same as express trusts where there is a transfer of legal ownership of property from the settlor to the trustee. “Tax consequences” should be taken to arise if the trust incurs UK liabilities for income tax, capital gains tax, non-resident capital gains tax, inheritance tax, stamp duty land tax or stamp duty reserve tax. UK resident trusts with UK tax liabilities will be required to register, as will trusts that are resident outside of the UK but have a UK tax liability.
Contracts, wills and testaments will not need to register automatically, but only if they create an express trust, in which case the beneficial ownership information of that trust would need to be reported to HMRC where it generates a tax consequence.
Trustees will be required to provide information on the identities of the settlors; other trustees; beneficiaries; all other natural or legal persons exercising effective control over the trust; and all other persons identified in a document or instrument relating to the trust, including a letter or memorandum of wishes. This information will include:
- their name
- their correspondence address and other contact details
- their date of birthif they are resident in the UK, their National Insurance Number (applies to individuals only) or their Unique Taxpayer Reference (applies to non-individuals only)
- if they are not resident in the UK, their passport or ID number with its country of issue and expiry date.
If a trust has a class of beneficiaries, not all of whom have been determined, then it will not be necessary to report all of the above information. Instead, trustees will need to provide a description of the class of persons who are entitled to benefit from the trust. Trustees will also be required to provide general information on the nature of the trust. These include its name; the date on which it was established; a statement of accounts describing the assets; the country where it is resident for tax purposes; the place where it is administered; and a contact address.
Supervision of obliged entities
The UK has 25 supervisors, a mixture of self-regulatory bodies and regulators. They are a highly diverse group including large global professional bodies, smaller professional and representative bodies, as well as public sector organisations. The Treasury is responsible for the appointment and removal – on the basis of non-compliance with the regulations – of supervisors.
The directive requires that supervisory authorities effectively monitor obliged entities and take appropriate measures to ensure their compliance with the directive. Articles 47 and 48 provide greater clarity and detail on what is expected of supervisors in ensuring that obliged entities comply. For example, Article 48 notes that all supervisors must have adequate powers and financial, human and technical resources to fulfil their supervisory functions.
The new regulations place a requirement on all supervisors to identify and assess the international and domestic ML/TF risks associated with persons in their sector. When making such risk assessments, supervisors must consider factors such as the NRA. Supervisors are able to take a cluster approach to risk profiling obliged entities in their sectors, provided they share similar characteristics and the ML/TF risks associated with those entities are not significantly different.
As outlines in ESA guidelines, mitigation should be followed by continued monitoring to ensure that ML/TF risks have been appropriately addressed, and follow-up action should be taken as necessary.
The government is still considering how best to address the remaining issues raised in its Call for Information on the current AML supervisory regime. A full response is expected in due course.
From 26 June, HMRC will act as the registering authority for all trusts and company service providers (TCSPs). This means HMRC will expand their register to include TCSPs who are supervised by professional bodies. It remains the duty of the supervisory authority to ensure that TCSPs who fall under their supervision are compliant with the new regulations. New regulations will however require the following of professional supervisory bodies:
inform HMRC of their members who carry out TCSP activity so that they can be added to the registerinform HMRC if relevant members have passed fit and proper testsinform HMRC if the fit and proper status of their members has changed
New regulations will also allow the registering authorities (FCA and HMRC) the ability to request further information as they deem necessary.
In circumstances whereby a registration is refused, it must be done so where there exists “reasonable grounds of suspicion”. Where the registration authorities seek to cancel a registration, it must do so on the basis that they are “satisfied” that relevant officers are not fit and proper.
Fit and proper tests
Supervisors of TCSPs and MSBs will be required to carry out fit and proper tests on individuals and entities considered to hold a ‘management function’. New regulations define the holder of a “management function” as an “officer” or a “manager.”
An “officer” is:
- in a body corporate: (i) a director, secretary, chief executive, member of the committee of management or a person purporting to act in such a capacity or an individual who is a controller of the body, or a person purporting to act as a controller
- in relation to an unincorporated association, means any officer of the association or any member of its governing body, or a person purporting to act in such a capacity
- in relation to a partnership, means a partner, or a person purporting to act as a partner
Whereas a manager is:
- a person who has control, authority or responsibility for one or more aspects of the business of that firm and includes a nominated officer
New regulations will clarify that fit and proper tests are to be carried out on both the MSB principal and agent by HMRC.
FCA refusal of Annex 1 financial institutions
The new regulations require the FCA to refuse registration of an Annex 1 financial institution, where it believes an individual holding a management function – including a beneficial owner – is not a fit and proper person.
4MLD imposes new criminality tests on the following three sectors not subject to fit and proper tests:
- Auditors, external accountants and tax advisor
- Notaries and other independent legal professionals
- Estate agents
The government has confirmed that the scope of such tests will include:
- crimes that are relevant to the risk of money laundering or terrorist financing
- crimes that have a bearing on whether a person is suitable to hold a management function
The criminality test will not be extended to include persons being investigated for, or charged with, a relevant crime and the government will not permit supervisors to take into account spent convictions and cautions when assessing whether a person should be prohibited from being a beneficial owner, officer or manager of a supervised business. Criminality tests will be extended to High Value Dealers (HVDs).
Once the regulations come into force, supervisors will be required to carry out criminality tests on all beneficial owners, officers and managers from that date. A person may not continue to act in the capacity of a beneficial owner, officer or manager where that person fails the criminality test.
A new duty is being placed on supervisory authorities to take appropriate steps to share relevant information. One example is a requirement on all supervisors to make up-to-date ML/TF information available to those whom they supervise. This should include information on money laundering and terrorist financing practices that occur in their sectors; indicators which may suggest that a transfer of criminal funds is taking place; and relevant information from other sources such as the European Commission, ESAs, Home Office and the Treasury.
Supervisors must also collect information from their regulated sectors to assist them in carrying out their supervisory functions. This should include information to support risk assessments. Supervisors must also collect information such as the number of firms they supervise, divided into those they consider high, medium and low risk. Supervisors must provide the Treasury with such information on request, to enable the Treasury to assess, understand and mitigate risks in each sector.
Self-regulatory bodies must make arrangements to ensure that their AML/CTF supervisory functions are operationally independent from any functions which do not relate to disciplinary matters. Professional bodies must also appoint a person to monitor and manage compliance with the new regulations, and must also provide adequate resources to carry out their supervisory functions.
The government has clarified that the policies, controls and procedures that mitigate the risk of money laundering and terrorist financing should be documented, either written or in electronic form.
The government will retain the minimum 5-year data retention period required by 4MLD. By not extending beyond 5 years, the government is seeking to minimise the additional burdens on business, while ensuring that law enforcement have access to the necessary information
As designated supervisory authorities, the FCA and HMRC have the power to impose civil penalties against obliged entities that contravene the requirements set out in 4MLD and/or FTR. Applicable provisions of the directive for sanctions will include breaches of customer due diligence, reporting obligations, record-keeping and internal controls.
Where HMRC or the FCA use this power, they must publish publicly available information on the type and nature of the breach, and the identity of the natural or legal person on whom the sanction is imposed. Where a person appeals against a penalty imposed, an appeal status must be published on the relevant sanctioning body’s website. Relevant information may be published anonymously where the naming of the relevant person is considered, for example, to be disproportionate or would jeopardise the stability of the financial markets. In cases in which it is considered that anonymous publication is insufficient, in certain situations, information will not be published.
© CPA Audit LLP 2019.