You Have 9... No, wait, 8 Days To Comply With The Changes To The Money Laundering Regs

Not only do the recent changes to the Money Laundering Regulations widen the range of firms who have to comply, but there are also changes to the requirements for customer due diligence, risk assessments, policies, controls, procedures and training for firms already in scope. You have until by 10 January 2020 to comply with most of the changes. I've summarised most changes here. Let me know if you need assistance.

Changes to Scope of the MLRs

The range of firms covered by the MLRs now includes letting agents, art market participants; cryptoasset (e.g. virtual currency) exchange providers and custodian wallet providers. 

The definition of tax adviser is also extended to those who provide material aid or assistance on tax; and certain limits are lowered for e-money transactions and new restrictions are imposed on acquiring anonymous prepaid card transactions. 

Law enforcement authorities and the Gambling Commission can obtain information about safe-deposit boxes and about accounts held with banks, building societies and credit unions.

Changes to due diligence requirements

When you adopt new products, business practices (including new delivery mechanisms) or technology you must take appropriate measures in preparation for, and during, that process to assess - and if necessary mitigate - any money laundering or terrorist financing risks change may cause.

If your firm is a parent, you must establish and maintain throughout your group all the various policies, controls and procedures for the purposes of preventing money laundering and terrorist financing - including for data protection and sharing information and including policies on the sharing of information about customers, customer accounts and transactions.

You must take appropriate measures - and keep records to prove - that you train your employees and agents whose work is relevant to your AML compliance or the identification or mitigation of the risk, prevention or detection of money laundering and terrorist financing. The training must be in the law relating to money laundering and terrorist financing, and related data protection requirements; as well as how to recognise and deal with suspicious transactions and other activities or situations which may be related to money laundering or terrorist financing.

The triggers for applying customer due diligence measures now include:

• at appropriate times for existing customers, on a risk based approach; 
• when you become aware that the circumstances of an existing customer relevant to your risk assessment for that customer have changed;
• when you have a legal duty to contact an existing customer for the purpose of reviewing any information relevant to your risk assessment and relates to the beneficial ownership of the customer, including information which enables you to understand the ownership or control structure of a legal person, trust, foundation or similar arrangement who is the beneficial owner of the customer; 
• when you have to contact an existing customer to fulfil a duty under the International Tax Compliance Regulations 2015.

The obligation to understand the ownership and control structure of a customer applies whether the customer is a body corporate or other legal person, trust, company, foundation or similar legal arrangement.

Where you've exhausted all possible means of identifying the beneficial owner of the body corporate and either you haven't succeeded or you aren't satisfied that the individual identified is in fact the beneficial owner, you must keep written records of all the actions you've taken to identify the beneficial owner and take reasonable measures to verify the identity of the senior person in the body corporate responsible for managing it, as well as all the actions you've taken and any difficulties you encountered in doing so.

Before establishing a business relationship with a customer, you must collect proof of registration or an excerpt of the relevant company or partnership registry (as the case may be) and report to the relevant registrar any discrepancy between information relating to the beneficial ownership of the customer that you collect from the register and information that otherwise becomes available to you in the course of carrying out your duties under the MLRs.

There are new triggers for carrying out 'enhanced' customer due diligence measures, as well as a specified (non-exhaustive) list of measures.

The thresholds for applying customer due diligence in the context of e-money are significantly reduced.

There are new restrictions on acquiring anonymous prepaid card transactions.

Law enforcement authorities and the Gambling Commission can now obtain information about safe-deposit boxes and about accounts held with banks, building societies and credit unions.

Are You Caught In The Wider Net Of The New Money Laundering Regs?

As a late Christmas present, the UK government issued the long-awaited amendments to the money laundering regulations ("MLRs") that must take effect by 10 January 2020. The changes impose customer due diligence and transaction monitoring obligations on letting agents, art market participants; cryptoasset (e.g. virtual currency) exchange providers and custodian wallet providers. The definition of tax adviser is also extended to those who provide material aid or assistance on tax; and certain limits are lowered for e-money transactions and new restrictions are imposed on acquiring anonymous prepaid card transactions. I've summarised some of the key aspects below, but there is no substitute for getting advice on your specific circumstances. Let me know if you need assistance.

Whether your activities fit the various definitions may not be easy to decipher. Crypto-currency exchange and wallet providers have been in discussion with the authorities for many years, and the impact there is reasonably clear. The definition of "letting agent" and the impact on the property market, however, deserves a blog of its own.  The impact on the art market is also difficult to address...

Art Market Participants

Recent allegations reveal that a complex web of people and international locations are often involved in art fraud. Not only does this type of fraud itself produce dirty money, but high prices, inconsistent record-keeping, subjective valuations, questionable authenticity and anonymity also create a fertile environment for laundering cash generated by other crimes. Digital technology and encrypted communications have made it increasingly hard to detect and prove fraud and money laundering after the fact. Prosecution of art fraud across national borders has been difficult.

Prior to MLD5, "high value dealers" fell within the scope of the AML regime, and these were defined as:

"a firm or sole trader who by way of business trades in goods (including an auctioneer dealing in goods), when the trader makes or receives, in respect of any transaction, a payment or payments in cash of at least 10,000 euros in total, whether the transaction is executed in a single operation or in several operations which appear to be linked."

The MLRs have now been amended to also apply to an “art market participant”, meaning a firm or sole practitioner who either: 

(i) by way of business trades in, or acts as an intermediary in the sale or purchase of, works of art and the value of the transaction, or a series of linked transactions, amounts to 10,000 euros or more; or 

(ii) is the operator of a freeport when it, or any other firm or sole practitioner, by way of business stores works of art in the freeport and the value of the works of art so stored for a person, or a series of linked persons, amounts to 10,000 euros or more;

A “work of art” means anything which in a long list in section 21 of the Value Added Tax Act 1994.

A “freeport” means a warehouse or storage facility within an area designated by theTreasury as a special area for customs purposes pursuant to section 100A(1) of the Customs and Excise Management Act 1979 (designation of free zones).

What Does Compliance Involve?

Those caught by the MLRs must at least apply certain "customer due diligence measures", including verifying the identity of the customer (subject to certain thresholds or triggers) and the ultimate beneficial owners of the money and assets involved:

• before establishing a business relationship; 
• if they suspect money laundering or terrorist financing; 
• if they carry out a funds transfer of more than a 1,000 euros; or
• if they doubt the veracity or adequacy of documents or information previously obtained for the purposes of identification or verification. 

Additional requirements apply in some cases. For instance, art market participants must also apply customer due diligence measures consistent with how that role is defined:

• in relation to any trade in a work of art when the firm or sole practitioner carries out, or acts in respect of, any such transaction, or series of linked transactions, whose value amounts to 10,000 euros or more; 
• in relation to the storage of a work of art when it is the operator of a freeport and the value of the works of art so stored for a person, or series of linked persons, amounts to 10,000 euros or more.

You must also understand the nature of your customer’s business and its ownership and control structure. If you can’t complete that due diligence, or enhanced due diligence where it is appropriate to make further checks, then you must cease dealing with the customer and file a suspicious activity report (SAR) with the National Crime Agency (NCA).

You will also need to monitor transactions with your customers for suspicious activity, which must also be reported to the NCA.

The Proceeds of Crime Act makes all forms of money laundering a criminal offence, and creates other offences such as failing to report a suspicion of money laundering and “tipping off” a suspected money launderer, which applies to staff and your nominated money laundering reporting officer (MLRO).

The Fraud Act 2006 also sets out offences committed by false representation, failing to disclose information and abuse of position.

The Data Protection Act 2018 and the EU General Data Protection Regulation require you to take appropriate security measures against the loss, destruction or damage of personal data. You also remain responsible when you pass data to a third-party for processing or to countries that do not have adequate data protection regimes.

The MLRs require a risk-based approach to compliance. It’s not enough that you comply, because you must be able to demonstrate that you comply, if challenged. That means written policies and procedures; good records of obligations performed, training, compliance monitoring; and taking steps to remedy gaps or failings identified. Your written AML policy should show that you and your staff are aware of the requirements and how you go about meeting them. You should also have a set of detailed, written AML procedures that show exactly how you and your staff will satisfy the commitments in your AML policy.

Again, while I've summarised some of the key aspects of AML compliance here, there is no substitute for getting advice on your specific circumstances. Let me know if you need assistance.

Brexit Britain To Gold-Plate 5th EU Money Laundering Directive

Anyone who still dreams that Brexit spells the end of the UK's ménage à trois with bureaucracy and regulation must read the Treasury's plans to implement the fifth EU directive on anti-money laundering.

The UK has always created an EU rod for its own back not only by adding its own weight to the regulatory burden, but also by effectively insisting on literal interpretation of EU law that was only intended to be construed according to its purpose.

This results in directives having a broader impact than they would otherwise have done (known as 'regulatory creep'), saddling British businesses - and ultimately British consumers - with costs they could otherwise avoid.

That is not to say that the UK's approach is always wrong - or is necessarily wrong on this occasion - but the 'blame' for this approach should land in Westminster not Brussels.

In this case, the government proposes to amend the The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 ("MLRs") in the ways I've summarised below. Responses to the consultation paper are due by 10 June 2019 and new regulations must take effect in the UK by 10 January 2020.

Tax advisors

• The definition of “tax advisor” in the MLRs to include firms and sole practitioners who by way of business provide, directly or by way of arrangement with other persons, material aid, assistance or advice about the tax affairs of other person.

 Letting agents

• There are numerous options for applying the MLRs to letting agents.

 Cryptoassets

• The MLRs will apply to service providers engaged in exchange services between cryptoassets and fiat currencies, and wallet providers in a way that includes exchange tokens, security tokens and utility tokens and so would also capture crypto-to-crypto exchange service providers; peer-to-peer exchange of both fiat-to-crypto and crypto-to-crypto between prospective “buyers” and “sellers”); cryptoasset ATMs; issuance of new cryptoassets (including ICOs); and the publication of open-source software (which includes, but is not limited to, non-custodian wallet software and other types of cryptoasset related software).

 High Value Dealers

• High value dealers are to include art intermediaries for transactions exceeding €10,000, including art galleries, auction houses and free ports/zones (currently none in the UK) regardless of whether they are paid for in cash (raising many questions in the consultation).

 E-money

• Exemptions for low value e-money instruments will be narrower, as all of the following conditions must be met: the maximum amount that can be stored electronically is €150; it either can't be reloadable or must have a maximum limit on monthly payments of €150 which can only be used in that Member State; used exclusively to purchase goods and services; can't be funded with anonymous e-money; and any single cash redemption or remote payment cannot exceed €50. In addition, EEA acquirers can only accept payments made with anonymous prepaid cards issued in non-EEA countries that impose equivalent AML requirements; and Members States may prohibit payments carried out using anonymous prepaid cards.

E-identification services

• The new requirement for electronic identification processes is for them to be “regulated, recognised, approved or accepted at national level by the national competent authority” which raises questions about which forms in the UK are implicitly within scope.

Companies and officers

• Firms will be required to determine and verify the law to which a body corporate is subject, its constitution and the full names of the board of directors and the senior persons responsible for the operations of the body corporate.

Where beneficial owner cannot be identified

• If a firm has exhausted all possible means of identifying the beneficial owner of a body corporate and hasn’t succeeded, the firm must keep written records of its actions, but such firms will now need to take further measures to verify the identity of the senior person in that body corporate and keep written records of those actions.

Understanding the customer's business/structure

• Firms will be required to understand the nature of their customer’s business and its ownership and control structure (rather than just being required to take "reasonable measures" to do so).

Filing SARs when due diligence fails

• Firms must cease transacting and file a suspicious activity report (SAR) when they cannot apply their due diligence or additional or enhanced measures.

Proof trust/company register was searched

• Firms must also collect proof of registration or an excerpt of the register from the company or the trust that is subject to beneficial ownership registration requirements before a new business relationship is established.

Apply due diligence when beneficial ownership must be reviewed

• Firms must apply due diligence when they have any legal duty in a calendar year to contact the customer for reviewing their relevant beneficial ownership information.

Enhanced due diligence where high risk countries involved

• Firms must apply a newly defined set of enhanced due diligence measures, and monitoring, to business relationships and transactions involving high-risk third countries.

Lists of PEP functions to be taken into account

• The responsibility to apply enhanced due diligence on Politically Exposed Persons (PEPs) will be able to be be discharged by applying the FCA’s July 2017 guidance on how firms should take into account a list of functions in determining whether an individual is a PEP for the purposes of the MLRs.

Information on beneficial owners to be publicly available

• The government must ensure that information on the beneficial ownership of corporate and other legal entities is accessible by members of the general public and “mechanisms” must be in place to ensure that the information held on the central register is adequate, accurate, and current; while the UK must also take appropriate actions to resolve any reported discrepancies in a timely manner and, if appropriate, include a specific mention in the central register in the meantime.

Trusts to be registered

• Trustees or agents of all UK and some non-EU resident express trusts must register those trusts with the Trust Registration Service, whether or not the trust has incurred a UK tax; and the government must share data from the register with a range of persons under certain circumstances.

Bank account registries

• The UK must establish a centralised registry or online retrieval mechanism which allows identification of natural and legal persons who hold or control bank accounts; payment accounts; or safe-deposit boxes held by credit institutions within the UK - including names and account/identification numbers.

Pooled client accounts of unregulated operators

• The government wants further evidence on the administration of checks relating to the use of pooled client accounts (PCAs) under the MLRs, especially those held by non-regulated businesses and any evidence of abuse; and the practical barriers industry face in implementing the current framework and it could be 'enhanced'.

AML risk assessments for new products, practices and channels

• Firms will need to undertake AML risk assessments prior to the launch or use of new products, new business practices and delivery mechanisms.

Provision of Information by branches and subsidiaries

• Firms must have policies relating to the provision of customer, account and transaction information from their branches and subsidiaries.

The UK will not require that "whenever a customer makes their first payment involving a designated high-risk third country, that payment is carried out through an account in the customer’s name with a credit institution subject to the Directive’s customer due diligence standards."