You Have 9... No, wait, 8 Days To Comply With The Changes To The Money Laundering Regs

Not only do the recent changes to the Money Laundering Regulations widen the range of firms who have to comply, but there are also changes to the requirements for customer due diligence, risk assessments, policies, controls, procedures and training for firms already in scope. You have until by 10 January 2020 to comply with most of the changes. I've summarised most changes here. Let me know if you need assistance.

Changes to Scope of the MLRs

The range of firms covered by the MLRs now includes letting agents, art market participants; cryptoasset (e.g. virtual currency) exchange providers and custodian wallet providers. 

The definition of tax adviser is also extended to those who provide material aid or assistance on tax; and certain limits are lowered for e-money transactions and new restrictions are imposed on acquiring anonymous prepaid card transactions. 

Law enforcement authorities and the Gambling Commission can obtain information about safe-deposit boxes and about accounts held with banks, building societies and credit unions.

Changes to due diligence requirements

When you adopt new products, business practices (including new delivery mechanisms) or technology you must take appropriate measures in preparation for, and during, that process to assess - and if necessary mitigate - any money laundering or terrorist financing risks change may cause.

If your firm is a parent, you must establish and maintain throughout your group all the various policies, controls and procedures for the purposes of preventing money laundering and terrorist financing - including for data protection and sharing information and including policies on the sharing of information about customers, customer accounts and transactions.

You must take appropriate measures - and keep records to prove - that you train your employees and agents whose work is relevant to your AML compliance or the identification or mitigation of the risk, prevention or detection of money laundering and terrorist financing. The training must be in the law relating to money laundering and terrorist financing, and related data protection requirements; as well as how to recognise and deal with suspicious transactions and other activities or situations which may be related to money laundering or terrorist financing.

The triggers for applying customer due diligence measures now include:

• at appropriate times for existing customers, on a risk based approach; 
• when you become aware that the circumstances of an existing customer relevant to your risk assessment for that customer have changed;
• when you have a legal duty to contact an existing customer for the purpose of reviewing any information relevant to your risk assessment and relates to the beneficial ownership of the customer, including information which enables you to understand the ownership or control structure of a legal person, trust, foundation or similar arrangement who is the beneficial owner of the customer; 
• when you have to contact an existing customer to fulfil a duty under the International Tax Compliance Regulations 2015.

The obligation to understand the ownership and control structure of a customer applies whether the customer is a body corporate or other legal person, trust, company, foundation or similar legal arrangement.

Where you've exhausted all possible means of identifying the beneficial owner of the body corporate and either you haven't succeeded or you aren't satisfied that the individual identified is in fact the beneficial owner, you must keep written records of all the actions you've taken to identify the beneficial owner and take reasonable measures to verify the identity of the senior person in the body corporate responsible for managing it, as well as all the actions you've taken and any difficulties you encountered in doing so.

Before establishing a business relationship with a customer, you must collect proof of registration or an excerpt of the relevant company or partnership registry (as the case may be) and report to the relevant registrar any discrepancy between information relating to the beneficial ownership of the customer that you collect from the register and information that otherwise becomes available to you in the course of carrying out your duties under the MLRs.

There are new triggers for carrying out 'enhanced' customer due diligence measures, as well as a specified (non-exhaustive) list of measures.

The thresholds for applying customer due diligence in the context of e-money are significantly reduced.

There are new restrictions on acquiring anonymous prepaid card transactions.

Law enforcement authorities and the Gambling Commission can now obtain information about safe-deposit boxes and about accounts held with banks, building societies and credit unions.

New To Payments? Try PSD2 Customer Authentication and Communication Standards!

If you are among the new entrants to the regulated payments space you should know that, in a bit to captivate and inspire a generation, the European Banking Authority has published the final 'regulatory technical standards' for payment user authentication and the secure communication of payments data. The standards should take effect in the second half of 2019, but the authorities are keen for regulated payment service providers (PSPs) to adopt them as soon as possible. They are written in legalese, but I've summarised them below in a bid to get them straight in my own head.  Grab a coffee before proceeding!

Strong customer authentication 

PSPs must know they are dealing with their own customer by applying strong customer authentication. This is subject to certain permitted exemptions outlined below. PSPs must also protect the confidentiality and the integrity of each customer's personalised security credentials. Their security measures must be documented, periodically tested, evaluated and audited by auditors with expertise in IT security and payments and operationally independent within or from the PSP.

 

Broadly, authentication must be based on two or more elements of 'knowledge' (password/PIN), 'possession' (card/device) and 'inherence' (fingerprint/iris scan). 

These elements must be subject to measures designed to prevent disclosure (in the case of knowledge) , replication (in the case of possession) and resistance against unauthorized use of device or software (in the case of inherence). 

The breach of one element must not compromise the reliability of the others. Certain measures must also mitigate the risk that a multi-purpose access device has itself been compromised. 

Credentials and Code

Authentication credentials must be masked when displayed and not fully readable as they are being entered; not stored in plaintext; and must be protected from unauthorized disclosure. 

PSPs must document how they encrypt credentials or render them unreadable. 

The creation, processing and routing of credentials must be done in secure environments that accord with industry standards. 

Specific requirements govern the process of associating the user with credentials; delivery; authentication of devices and software; and the renewal, destruction, deactivation and revocation of credentials.

Authentication must result in the generation of an authentication code that is only accepted once by the PSP when the payer uses it to: access the payer’s payment account online, initiate an electronic payment transaction or to carry out any action through 'a remote channel which may imply a risk of payment fraud or other abuse'. 

No information on any of the authentication elements can be derived from the disclosure of the authentication code; nor can it be possible to generate a new authentication code based on the knowledge of any previous code. The code must not be able to be forged. 

Where the authentication has failed to generate an authentication code, it must not be possible to identify which of the authentication elements was incorrect. 

No more than 5 failed authentication attempts can take place consecutively before the authentication tool is blocked, either temporarily (based on certain factors) or permanently (after a warning). The user has 5 minutes of inactivity after being authenticated before access must time-out. 

Dynamic linking!

The payer must be made aware of both the amount of the proposed payment transaction and of the proposed payee. The authentication code must also be ‘dynamically linked’ (specific to) the amount and the payee. Any change to the amount or the payee must result in the invalidation of the authentication code  that was generated. 

PSPs must ensure the confidentiality, authenticity and integrity of the amount of the transaction and the payee throughout all of the phases of the authentication; as well as the information displayed to the payer including the generation, transmission and use of the authentication code.

Transaction monitoring

PSPs must monitor interaction with their customers to detect unauthorised or fraudulent payment transactions, taking into account elements which are typical of the user when normally using the credentials and, at a minimum, the following risk-based factors: 

• lists of compromised or stolen authentication elements; 
• the amount of each payment transaction; 
• known fraud scenarios in the provision of payment services; 
• signs of malware infection in any sessions of the authentication procedure; and
• where the access device or software is provided by the PSP, a log of the use of the device or software and the abnormal use of the device or software. 

Exemptions from strong customer authentication

The permitted exemptions (subject to transaction monitoring, and quarterly assessments to be shared with the FCA on request) are: 

• checking the balance or the last 90 days of transactions without entering sensitive payment data; 
• a contactless payment of up to €50, a series of up to €150 or 5 consecutive contactless payments; 
• payment at an unattended parking or transport ticket terminal;
• the payee is included in a list of trusted payees (unless adding to or changing the list); 
• recurring payments (after authenticating for the first);
• transfers between the users’ own accounts with the same PSP; 
• a remote electronic payment of up to €30, consecutive payments of up to €100 or 5 consecutive remove electronic payments; 
• commercial payment processes or protocols where the FCA is satisfied they guarantee at least the same level of security as under PSD2; 
• low risk remote electronic payment transactions (based on certain risk factors) where: 

o the fraud rate is below the relevant reference rate; 

o the amount is below a specific threshold; and 

o the PSP’s real time risk analysis hasn’t identified certain specified problems. 

Secure communcations

A PSP's communication sessions must be protected against the capture of authentication data transmitted during authentication, and against manipulation by unauthorised parties based on certain communication standards. These include secure identification of payer’s and payee’s devices; traceability of both the transactions and the interaction with the user and other participants in transactions; and a secure access interface between payer and online payment accounts. 

The access interface must allow for access by the user’s chosen account information service providers (AISPs) and payment initiation service providers (PISPs), although access by AISPs and PISPs can be facilitated via a dedicated interface that meets certain requirements. 

Wakey-wakey!

The End.