The Biggest Change to AML in a Decade
Monday 26th June 2017 saw The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 come into force, just 3 days after they were passed.
Much of the 2007 regulations remain intact, however, there are considerable amendments and additions and below are highlighted those most relevant to lawyers.
Each firm will have to prepare a risk assessment. This will involve taking reasonable steps to identify and assess the risks your firm faces, and keeping a written and up to date record of those steps you have taken.
When compiling your risk assessment, you should consider:
- Who your clients are
- Where your clients, or their funds are coming from
- The services you are providing to your clients
- How you provide services to your clients
- Size and nature of your business
Whilst it is not possible to prevent entirely the risk of being targeted by criminals, having a robust risk assessment will justify the steps you took.
Policies, controls and procedures
You must establish and maintain and regularly review policies, controls and procedures to mitigate and manage the risks which you have identified in your risk assessment. They need to be proportionate to the size and nature of your business.
Your policies must provide for the scrutiny of complex and unusually large transactions. This means each matter will need to be risk assessed. You should consider the due diligence information which has been obtained, and the nature of the instructions. The main question that lawyers need to ask themselves is does the transaction make sense?
The internal controls which you must implement will depend on your assessment of the size and nature of your business. You may need to
- Appoint an individual who is on the board, or a member of senior management as the officer who is responsible for compliance with the regulation
- Carry out screening of relevant employees
- Establish an independent audit function to examine the effectiveness of the policies
The training you provide must now also include training on the Data Protection requirements in the Regulations.
Customer Due Diligence (CDD)
CDD is not just required at the beginning of a relationship with the client, but also must be applied when you become aware of changes in the circumstances of an existing customer.
There are some important additions to the 2007 regulations in relation to a body corporate, namely
- Its constitution (which may be found in the articles of association).
- Where the client is beneficially owned by another person you must now also to verify the identity of the beneficial owner.
- Where the beneficial owner is a legal person, you also need to understand the ownership and control structure of the beneficial owner.
- These requirements will not be satisfied by relying only on the register of people with significant control.
- If the person instructing you is acting on behalf of a client, you must verify that person
It is also important to note that the definition of beneficial owner of a trust has been extended to now include settlor, the trustees, the beneficiaries or class of beneficiaries and any individual who has control of the trust.
Enhanced Customer Due Diligence (EDD)
The Regulations are more prescriptive as to when EDD measures need to be applied. You must apply EDD when the case is high risk.
When assessing whether a matter is high risk, you must consider regulation 33(6) including amongst others, customer, service and geographical risk factors.
EDD means examining the purpose of the transactions and increasing the frequency of monitoring. You may also seek further independent verification of the information you have been provided, take more steps to understand the ownership and financial situation or to ensure the instructions fit the client's business.
This has changed to include domestic PEPs and widened to include members of governing bodies of political parties and on the board of international organisations.
Simplified Due Diligence (SDD) and Pooled Client Accounts.
In relation to the client account, banks can apply SDD provided that
- The firm presents a low degree of risk, and
- Information on the identity of the person on whose behalf monies are held in the PCA are available on request.
You will need to ensure that you have explained to the client that, if the bank requests information about who you hold funds for, you will be required to provide that information. The client needs to consent to that.
You must provide new clients with a statement that any personal data received will only be processed for AML and CTF purposes. Data must be retained for 5 years following the end of the business relationship but then deleted unless you are required to keep it by law, or the data subject has given consent for its retention. You will need to ensure, probably through your terms of business letter, that you have the client's consent to keeping the data for longer than 5 years.