Where to start with the Money Laundering Regulations 2017
Writing a blog about becoming compliant with The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 is tricky. So much of what you will need to do will depend on the individual risk factors your firm faces. However, here are some things you should think about doing now.
1. Risk Assessment
You need to complete a risk assessment of your firm. I would look at the following areas, and establish the risk of your firm being targeted for money laundering:
- Who your clients are
- Where your clients, or their funds are coming from
- The services you are providing to your clients
- How you provide services to your clients
- Size and nature of your business
2. Policy review and amends
Once you have arrived at your risk assessment, you should review your policy. Make sure you amend reference to the 2007 regulations at the very least. It is likely that if you had assessed a client profile as needing enhanced due diligence, it will still be. However do review regulation 33 to see whether any changes are needed. You may find that you do not have to change the requirement to apply enhanced due diligence, although the process is very likely to change.
3. CDD Process
There are a number of practical changes you are likely to need to make to your CDD process
- You will need to expand the list of information you obtain regarding a corporate client to include information about its constitution, possible from review of the articles of association. This could add considerable time to the process.
- You will need to consider the impact of the change in the definition of beneficial owners in relation to trust which is now much wider.
- There the client is owned by a beneficial owner, you will also have to take reasonable measures to verify the identity of the beneficial owner so that you are satisfied you know who the beneficial owner is. Previously verification was only required on a risk sensitive basis.
- Review your process to identify if your client is a politically exposed person. Under the 2017 regulations a PEP includes domestic PEPs, and the definition has changed to include the governing bodies of political parties, and the boards of international organisations (think FIFA etc). You will need to ensure that a PEP is treated as such until 12 months after they have left post.
4. Internal Controls
First job is to decide whether your firm is of the size and nature where the controls detailed in regulation 21 should apply. You will have considered this as part of your risk assessment. I think having regard to the risk from the type of work you do; the visibility you have of the client and their source of funds will be factors you should consider. If you feel you are of the size and nature, you will need to
- Appoint a member of senior management to be responsible for compliance with the regulations
- Carry our screening of employees when they join the firm and ongoing, as to their skills and knowledge to carry out their functions effectively, and their conduct and integrity. You may already be doing this for some employees, such as conveyancers under the CQS requirements
- Establish an independent audit function. Provided that this function can assess the effectiveness of the policies, controls and procedures in place, make recommendations for improvements, and have those improvements implemented, it does not appear that it needs to be an external function.
5. Operational Issues
All relevant people will need to be trained on AML/CTF and the Data Protection aspect of the Regulations. Given the changes, you may need to look at training sooner rather than later.
b. Record Keeping and Data Protection
- You need to make sure you keep records you obtain for AML for 5 years from the end of the business relationship
- After that time, you will need to destroy it unless you are required to keep it by Law, for Court Proceedings, or if the client consents. You will need to obtain this consent from the client
- You will also need to provide the client with Data Protection information as prescribed by the regulations
c. Dealing with Bank queries on Pooled Client Account
Under the 2007 regulations, Banks could treat the PCA as a low risk product, as long as the firm produced upon request information about the identity of the persons on whose behalf monies are held.
The new Regulations say instead that a bank may apply SDD provided that the
- Holder of the bank account presents a low degree of risk, and
- Information on the identity of the person on whose behalf monies are held in the PCA are available on request.
In my experience, very few firms have the relevant permission from the client to be able to share this information. You will need to ensure that you have explained to the client, that if the bank requests information about who you hold funds for, you will be required to provide that information, and that you have the client’s consent to do so.
Clearly there will be a lot of work to do over the coming months.
At Teal Compliance, we make complying easy. We can provide support for firms with policy reviews, auditing and training. Complete Packages (including Risk Assessment, Policy review, MLRO Training, Staff training, and audit) available from £5,000 plus VAT. Email me on firstname.lastname@example.org for details.