1) Welcome to the Family – New Entities and Expanded Scope of Covered Activities
Art market participants, letting agents and crypto exchange and wallet providers (VASPs) are the latest new members of the family of entities now required to comply with the MLRs here in the UK. Some participants will be finding their feet over the next few months as they navigate the AML regulatory terrain. On the positive side, this will hopefully provide other financial institutions with additional information, as needed, to satisfy themselves that these businesses have controls in place to detect and prevent financial crime risks.
The activities undertaken by a tax advisor covered by the MLRs has also expanded, from advice about tax affairs to now cover:
- Material aid, or
- Assistance or
in connection with the tax affairs of other persons, whether provided directly or through a third party.
2) Risk Assessing the New – Expanded Requirements
A small but significant change was made to Regulation 19 – Policies, Procedures and Controls.Regulation 19(4) requires that appropriate measures are taken before and during the adoption of new technology to assess and mitigate any associated AML or TF risks.
This obligation has been expanded so that, essentially, this assessment exercise, and corresponding control implementation, also be applied to new products and new business practices (including new delivery mechanisms).
These new requirements could conceivably cover centralizing certain AML functions,introducing mobile phone access via new apps, which are just a few activities I can think of. Hopefully, the amendments to the JMLSG Guidance, anticipated sometime this February, will provide some more insight on the types of activities this amendment in intended to capture.
3) Widening the Net on Training
There have been cases where a third party acting as agent for a financial institution, has ended up exposing a financial institution to financial crime risks. The amendments made to Regulation 24 appear to not only try address one of the causes of this risk – a lack of awareness about ML and TF risks by the agent –but to also ensure that other parties involved in the delivery of AML and CTF compliance activities are covered. The amendment requires that both relevant employees
AND any agents whose work involves;
- Contributing to the identification or mitigation of the risk of money laundering and terrorist financing for the relevant business, or
- Prevention or detection of money laundering and terrorist financing in relation to the relevant person’s business
(i) Made aware of the law relating to money laundering and terrorist financing, and to the requirements of data protection, which are relevant to the implementation of these Regulations; and
(ii) Regularly given training in how to recognise and deal with transactions and other activities or situations which may be related to money laundering or terrorist financing.Depending on how broadly the term “agent” is applied, this may require that financial institutions verify how their agents ensure that their staff who work in the areas above are appropriately trained and also how they determine whether that training was effective.
Depending on how broadly the term “agent” is applied, this may require that financial institutions verify how their agents ensure that their staff who work in the areas above are appropriately trained and also how they determine whether that training was effective.
4) Regulation 27(8) KYC and Existing Customers - It’s a Taxing Matter
When the US FATCA regime was first introduced several years ago, the question of whether its KYC requirements could also be incorporated into existing AML KYC processes was explored by several institutions, although many maintained separate KYC processes for each of these requirements.
Fast forward to 2020, and the MLRs now expressly require that one of the triggers for reviewing existing customer KYC and CDD includes when a financial institution is required to “reach out” to a customer as part of the collection,alidation/reason to doubt and reporting of tax residency information, including ongoing monitoring of changes in circumstances that impact on the tax residency information.
Additions to this same regulation also expand KYC and CDD requirements for existing customers requiring a review where any additional information is received as a part of ongoing monitoring, adverse media checks or other information that suggests a change in ownership or control. Expect regulatory onsite visits to involve greater scrutiny of the review of existing customer files and the application of these new triggering requirements.
5) Regulation 28 – Customer Due Diligence Measures
There's been a small update to this regulation that is not likely to pose a huge change for most institutions. The addition of a paragraph that expressly states that relevant persons “must take reasonable measures to understand the ownership and control structure of that legal person, trust, company, foundation or similar legal arrangement” is unlikely to catch-out many institutions who have been required to comply with the MLRs for some time now. This also applies to the amendment made in 28(8) about what to do when a beneficial owner of a legal entity can’t be identified.
Nonetheless, institutions should ensure that a “health check” is performed internally to verify that their policies and procedures reflect in their wording an acknowledgement of this requirement. This will be particularly relevant where reliance has been placed on powers of attorney, authorised signatory lists etc.
6) Regulation 28(19) - eKYC Has Finally Arrived!
For those of you who know me, I’ve been talking about eKYC for the last three years or so and am thrilled to see it finally transposed into the MLRs. Here in the UK, this is the Gov ID programme – if you file your own tax returns online, you’ll have had your identification set up with one of approved providers of this programme.
In addition to extending the use of eKYC established under this programme. eKYC made available by private vendors can also be used. One interesting variation between the 5AMLD wording and the MLRs, is that the latter has not included the 5AMLD wording that any such providers as are “regulated, recognised, approved or accepted by the relevant national authorities”.
Watch this space to see whether this is elaborated upon in the revised JMLSG Guidance expected in February.
7) Regulation 33 – High Risk Third Countries
The 5AMLD Article 18a was the subject of debate and as most are aware, much disagreement, especially in terms of the “list” of third countries (what I called ‘bad AML list’) and the process for adding jurisdictions to it.
The MLRs has added an interesting amendment. It provides that when dealing with a transaction involving a high risk third country, where EITHER OF THE PARTIES to the transaction is established in a high-risk third country, enhanced due diligence measures should be applied New 33(3A)).A small revision, but potentially a significant one for those institutions who have not already incorporated the monitoring of both senders and recipients into existing transaction monitoring programmes.
Helpfully, the MLRs amendments also clarify that an individual should not be treated as de facto high risk simply because they were born in a high-risk country. There must be evidence to show that they are an actual resident in that jurisdiction. The amendment also makes it clear that the term “established” in terms of legal entities, refers to a customer have its principal place of business or its principal regulatory authority (for a financial institution).
8) Next Steps
We’re anticipating the revised JMLSG Guidance that will support and clarify the application of these amendments will be released in February but until then, there’s no time like the present to start reviewing existing KYC policies, procedures and processes.
Appendix – Extract Table of Amendments