AML: Risk and the New Rules
New Money Laundering Regulations now in force mark the biggest change to the legal regime in a decade. Lockton explains the new risk assessment duties and other obligations on solicitors
Monday 26 June 2017 saw the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 come into force, just three days after they were passed.
In many sectors, including the legal sector, it has been acknowledged that there has been very little time for firms to prepare to comply. Indeed, the sector guidance which is required by the regulations will need HM Treasury approval, and that process could take some time. The Legal Sector Affinity Group, which is made up of all the legal sector supervisors, has informed HM Treasury of its view that, given the very short timescale between having sight of the final version of the new regulations and when they come into force, firms and individuals should have a period of time to adjust to their new obligations. Accordingly, firms do need to consider the regulations urgently, and make plans to comply.
Much of the 2007 Regulations remains intact; however, there are numerous amendments and additions, the most relevant of which are highlighted below.
Each firm will have to prepare a risk assessment. This will involve taking reasonable steps to identify and assess the risks your firm faces, and keeping a written and up-to-date record of those steps you have taken.
When compiling your risk assessment, you should consider:
· Who your clients are – are they people you have known for a long time; are you are likely to meet them face to face; or will you deal with them at a distance?
· Where your clients, or their funds are coming from – do your clients come from a high-risk jurisdiction, or are they using funds from such a jurisdiction? The EU and Financial Action Task Force (FATF) both publish information on what they consider to be high- risk countries.
· The services you are providing to your clients – are these services high risk for money laundering: real estate, corporate, trusts?
· How you provide services to your clients – do you do so at a distance? Do you market for distance clients, and does that pose a risk?
· Size and nature of your business – is there a risk that by the size of your firm, you may be targeted for money laundering?
While it is not possible to prevent entirely the risk of being targeted by criminals, having a robust risk assessment will justify the steps you took.
Policies, controls and procedures
You must establish, maintain and regularly review policies, controls and procedures to mitigate and manage the risks you have identified in your risk assessment. They need to be proportionate to the size and nature of your business. They need to be reviewed regularly, and records kept of any changes.
Your policies must provide for the scrutiny of complex and unusually large transactions. This means each matter will need to be risk assessed. You should consider the due diligence information which has been obtained, and the nature of the instructions. The main question that lawyers need to ask themselves is, does the transaction make sense?
The internal controls which you must implement will depend on your assessment of the size and nature of your business. You may need to:
· appoint an individual who is on the board, or a member of senior management, as the officer who is responsible for compliance with the regulation;
· carry out screening of relevant employees;
· establish an independent audit function to examine the effectiveness of the policies. It is thought that this does not necessarily mean an external independent audit, provided the internal function has sufficient seniority to make recommendations, and to see those implemented.
You must provide training to all relevant employees on anti-money laundering and terrorist financing, as well as on the data protection requirements in the regulations.
Customer due diligence (CDD)
CDD is not just required at the beginning of a relationship with the client, but also must be applied when you become aware of changes in the circumstances of an existing customer.
There are some important additions to the 2007 Regulations in relation to a body corporate, namely:
- its constitution (which may be found in the articles of association);
- where the client is beneficially owned by another person you must now also verify the identity of the beneficial owner;
- where the beneficial owner is a legal person, you also need to understand the ownership and control structure of the beneficial owner;
- these requirements will not be satisfied by relying only on the register of people with significant control;
- if the person instructing you is acting on behalf of a client, you must verify that person.
- It is also important to note that the definition of beneficial owner of a trust has been extended to now include settlor, the trustees, the beneficiaries or class of beneficiaries and any individual who has control of the trust.
Enhanced customer due diligence (EDD)
The regulations are more prescriptive as to when EDD measures need to be applied. You must apply EDD when the case is high risk.
When assessing whether a matter is high risk, you must consider reg 33(6), including among others, customer, service and geographical risk factors.
EDD means examining the purpose of the transactions and increasing the frequency of monitoring. You may also seek further independent verification of the information you have been provided with, and take more steps to understand the ownership and financial situation or to ensure the instructions fit the client’s business.
Politically exposed persons (PEPs)
The definition has changed to include domestic PEPs, and widened to include members of governing bodies of political parties and boards of international organisations.
Simplified due diligence (SDD) and pooled client accounts (PCA)
In relation to the client account, banks can apply SDD provided that
· the firm presents a low degree of risk; and
· information on the identity of the person on whose behalf monies are held in the PCA is available on request.
You will need to ensure that you have explained to the client that, if the bank requests information about who you hold funds for, you will be required to provide that information. The client needs to consent to that.
You must provide new clients with a statement that any personal data received will only be processed for AML and CTF purposes. Data must be retained for five years following the end of the business relationship, but then deleted unless you are required to keep it by law, or the data subject has given consent for its retention. You will need to ensure, probably through your terms of business letter, that you have the client’s consent to keeping the data for longer than five years.
With serious consequences for non-compliance, although it is recognised by the regulators that firms need time to comply, that should not mean any delay in moving towards compliance.
Amy Bell is a risk consultant for Lockton, and chairs the Law Society of England & Wales Money Laundering Task Force.