The UK’s New Money Laundering Regulations

On 26 June 2017, the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations came into effect, implementing the EU's Fourth Money Laundering Directive and replacing the Money Laundering Regulations 2007, which will be repealed.

The regulations are available here

The main changes

Risk assessments - There is more detail about the risk assessments required of regulated firms and a requirement to keep a written record of this exercise. Regulation 18 states that a firm’s risk assessment must take into account risks identified by its relevant regulator, risks relating to its customers, geographic areas operated in, products and services, transactions and delivery channels.

Policies, controls and procedures - The section on policies, controls and procedures, already required by the 2007 Regulations, also contains more detail. Regulation 19 states that they must be proportionate to the size and nature of the business and be approved by senior management. They must provide for the identification and scrutiny of unusually large and complex transactions or unusual patterns of transactions. There is an obligation for firms with operations outside the UK to communicate their policies, controls and procedures to branches and subsidiaries outside the UK. Firms that are a 'relevant parent undertaking' must apply their policies, controls and procedures to their subsidiaries and branches in the UK and overseas.

Internal controls - Where appropriate to the size and nature of the business, regulation 21 requires firms to appoint a member of the board of directors or of its senior management to be responsible for compliance with the regulations. It also requires firms to screen relevant employees and agents before appointing them and to create an independent audit function to examine and evaluate the effectiveness of the firm’s policies, controls and procedures.

Customer Due Diligence - This is another area where requirements are more detailed than under the 2007 Regulations, with a list in regulation 27 of circumstances in which due diligence is required and the factors to be taken into account in deciding what measures are appropriate. A further list is provided in regulation 33 of circumstances in which Enhanced Due Diligence measures must be applied, such as where a transaction involves an entity established in a "high risk third country", and factors to take into account when determining whether Enhanced Due Diligence is required.

Politically Exposed Persons - The definition of a PEP has been expanded in regulation 35 to include domestic PEPs and Enhanced Due Diligence measures must be applied to individuals for at least a year after they cease to be a PEP. The FCA has published guidance for firms on how to assess the risk posed by any particular PEP, which can be found here, but the Government in its consultation response made clear that the mere fact that a person is a PEP does not justify any refusal to provide financial services to them.

Personal data - Personal data must be deleted from Customer Due Diligence records after five years, unless otherwise required by law, for the purposes of court proceedings or consent has been given for the retention of the data.