This means that less than three years after implementing the Fourth Money Laundering Directive (MLD4), firms must again revisit their anti-money laundering and counter-terrorist financing (AML/CTF) procedures. However, there is some good news for firms already within scope of the regime. Unlike MLD4 implementation which required larger scale changes including the implementation of risk assessments and associated re-reviews of existing client due diligence, MLD5 is likely to just require tweaks to firms’ existing processes.
The reason MLD5 came into force so quickly after MLD4 was as a result of the 2015 Paris terrorist attacks and 2016 Panama Papers leaks. In particular, it is a reaction to the increased use by terrorists of certain modern technology services as alternative financial systems. Consequently, the biggest changes relate to crypto currencies and assets, high risk individuals and politically exposed persons (PEPs) and provisions on information sharing and gathering.
MLD5 will be transposed into UK law by amending the Money Laundering Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs). The Treasury has also made clear that where the Financial Action Task Force (FATF) recommendations go further than the MLD5 requirements, these will inform the UK’s approach. The Treasury will also use implementation to address any gaps identified by the FATF in its mutual evaluation report of the UK’s AML/CTF regime in December 2018.
Although the Treasury is expected to publish the final changes to the MLRs before they take effect, there will be little (if any) time between publication and implementation on 10 January 2020. This briefing therefore sets out an overview of key changes that firms can begin to make now based on the Treasury’s April 2019 consultation.
MLD5 brings providers engaged in exchange services between cryptoassets and fiat currencies and custodian wallet providers within scope. The UK government has however indicated that it is inclined to go beyond the requirements of MLD5 and capture additional crypto service providers (in accordance with anticipated FATF recommendations). In particular, the government sees the risks of illicit activity being carried out at various points of cryptoasset exchange and not just through fiat-crypto exchange services. It is therefore considering including additional crypto service providers within the scope of the MLRs.
The extent to which the government will address the money laundering risks posed by these products is not yet clear. However, this is an area where additional measures must be expected. Firms operating in this space should begin preparations for: complying with customer due diligence (CDD) obligations; assessing money laundering and terrorist financing risks; reporting any suspicious transactions; and from 10 January 2020 submitting an application to register with the Financial Conduct Authority (FCA).
Customer due diligence measures
The changes to CDD measures are not substantive. MLD5 is slightly more prescriptive regarding certain measures that firms must take. Some of the changes are in fact implicit under the existing regime. This will mean that many firms will find they already run processes which meet at least some of the new requirements. Firms will however need to assess any gaps between their existing processes and the enhanced requirements. The more prescriptive measures relate to:
- CDD requirements where a customer is a body corporate
MLD5 requires that firms must determine and verify the law to which customers which are body corporates are subject and obtain full names of directors (or members of equivalent management body) and senior persons responsible for the operations of the body corporate. Previously the obligation on firms was to take reasonable measures to obtain this information. In most cases, it will be obvious to which law a company is subject and this can be verified by obtaining copies of certificates of incorporation, a search of the relevant company registry and confirmation of a customer’s principal place of business. However, in circumstances where a body corporate operates in a jurisdiction which is not its place of incorporation, it is possible that the body corporate will be subject to the laws of more than one jurisdiction.
MLD5 requires that where a beneficial owner cannot be identified, firms must verify the identity of the senior person in the body corporate and keep written records of these actions. Previously, the requirement was just to keep a written record of all the actions taken to identify the beneficial owner and a provision that a firm may treat the senior person responsible as the beneficial owner.
Understanding a customer's business
FATF recommendations require firms to understand the nature of their customer’s business and its ownership and control structure. The MLRs will be updated to add an explicit requirement to understand a customer’s business and ownership and control structure. This should not result in any meaningful changes as currently where a customer is beneficially owned by another, firms must take reasonable measures to understand the ownership and control structure of the legal person, trust, company, foundation or other legal arrangement.
Under MLD5, firms must (as part of their CDD when entering into a new relationship with a company, trust or other legal entity that is subject to beneficial ownership registration requirements) collect proof of registration or an excerpt of the register. The registers were introduced under MLD4 and currently firms are able to use the information provided to the register as part of their CDD processes but must not exclusively rely on them.
The register for companies and other legal entities is known as the register of people with significant control (PSC) which is maintained by Companies House and for trusts, it is the Trust Registration Service (TRS) maintained by HMRC. The PSC register is already publicly available. The TRS is currently only available to competent authorities and financial intelligence units.
As under the current regime, the Treasury has indicated that the onus should be on the trust or company to provide proof of registration to an obliged entity, upon the obliged entity’s request. However, as the Companies House register is public, firms can obtain the information directly if they wish to. For trusts, firms will need to request the proof of registration from trustees. It is expected that HMRC will provide trustees with the ability to print out an extract of their registration details to share with firms carrying out CDD.
For firms carrying out CDD on a company, MLD5 additionally requires them to report any discrepancies between beneficial ownership information found at Companies House on the PSC register with the beneficial ownership information available to them. The Treasury has proposed that firms should report any discrepancies found directly to Companies House. The Treasury has also asked if a public warning on the register would be appropriate or if this could create tipping off issues under the Proceeds of Crime Act 2002. Further guidance is expected.
In addition to existing requirements to apply CDD at appropriate times on a risk sensitive basis or when circumstances relevant to a customer’s risk assessment have changed, firms must now additionally apply CDD in the following circumstances:
- when there is any legal duty on the firm to contact the customer for the purposes of reviewing that customer’s relevant beneficial ownership information; or
- where the firm has a duty under the International Tax Compliance Regulations for identifying new and pre-existing reportable offshore financial accounts for annual reporting, along with details of the account holder (including jurisdiction of tax residence).
In relation to the former circumstance, the Treasury proposes a definition of legal duty to be where UK law requires obliged entities to contact customers for the purpose of reviewing any information which is relevant to the risk assessment for that customer for CDD purposes and which relates to the beneficial ownership information of that customer. Firms will need to identify the circumstances (if any) under which they contact customers for this purpose and ensure that those responsible for carrying out CDD are notified in the event such customer contact is required.
Whilst not currently prohibited, MLD5 specifically provides for firms to use electronic means of identification. Electronic identification means relevant trust services as set out in the Regulation on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market or any other secure, remote or electronic identification process regulated, recognised, approved or accepted by national authorities. The Treasury considers that standards on electronic identification processes set out in the Joint Money Laundering Steering Group guidance would constitute implicit recognition.
Enhanced due diligence (EDD) measures in high risk third countries
Currently under the MLRs, firms are required to carry out enhanced due diligence measures and ongoing monitoring to mitigate the risks arising from any business relationship or transaction with a person “established” in a high-risk third country. MLD5 requires further specific EDD measures to be carried out where business relationships or transactions "involve” designated high risk third countries.
The Treasury has stated that it intends to narrow the definition of “involving”, so that UK citizens who are nationals of high risk third countries are not subject to EDD purely as a result of that connection and so unjustly denied certain financial services. The Treasury is seeking views regarding the definition of “involving”. Mandatory measures for establishing such relationships include:
- obtaining additional information on the customer and on the beneficial owner(s);
- obtaining additional information on the intended nature of the business relationship;
- obtaining information on the source of funds and source of wealth of the customer and of the beneficial owner(s);
- obtaining information on the reasons for the intended or performed transactions;
- obtaining the approval of senior management for establishing or continuing the business relationship; and
- conducting enhanced monitoring of the business relationship by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination.
MLD5 also requires firms to take at least one of the following additional mitigating measures when carrying out transactions involving high risk third countries:
- the application of additional elements of enhanced due diligence;
- the introduction of enhanced relevant reporting mechanisms or systematic reporting of financial transactions; and
- the limitation of business relationships or transactions with natural persons or legal entities from the third countries identified as high risk countries.
These measures are only required where applicable. The Treasury has stated that it intends firms to determine which requirements are necessary based on their assessment of risk. This should mean that firms, having implemented MLD4 measures requiring customer risk assessments, should only have to make small changes to their procedures.
Whilst the precise meaning of “involving” is not yet clear, firms would be well placed to:
- identify any existing relationships which have any connection to a high risk third country. Existing customer risk assessments should include geographical risk factors which should assist this process;
- consider any additional due diligence required; and
- assess if the existing monitoring in place for these relationships is sufficient to meet the new requirements.
MLD5 seeks to assist firms to identify UK PEPs. It requires the UK to issue and keep up to date a list indicating the exact functions which qualify as prominent public functions. The Treasury intends to adopt the approach already taken by the FCA in identifying these functions in the existing FCA PEP guidance.
MLD5 also requires member states to request each international organisation accredited on their territories to issue and keep up to date a list of prominent public functions. The Treasury plans to request UK headquartered intergovernmental organisations to issue and keep up to date a list of these functions.
For firms already following the FCA guidance, the approach to PEPs will be unchanged. Procedures will just need to be updated to highlight to firms that there is a list to check for determining if a function is a prominent public function.
Electronic money (e-money)
Although MLD5 has retained an exemption from certain CDD measures for low risk e-money products, the exemption has been narrowed. This means that e-money firms will have to conduct CDD measures on a greater proportion of transactions. Under MLD5, member states are permitted to exempt e-money products from certain CDD measures where all the following conditions are satisfied:
- the maximum amount that can be stored electronically is €150 (currently the limit is €250 or €500, if it can only be used in the issuing member state);
- the payment instrument is not reloadable or is subject to a maximum limit on monthly payments of €150 which can only be used in the issuing member state (currently the limit is €250);
- the payment instrument is used exclusively to purchase goods and services;
- anonymous e-money is not used to fund the payment instrument; and
- any redemption in cash or remote payment transaction does not exceed €50 per transactions (currently the limit is €100).
The Treasury has stated that it is minded to maintain the exemptions provided for under MLD5.
Actions for firms
Whilst firms await the final rules, ahead of 10 January 2020 they can prepare for implementation by taking the following steps:
- reviewing their implementation of MLD4, in particular, ensuring their customer risk assessments and associated monitoring arrangements are both appropriate and up to date;
- identifying any gaps in their existing CDD processes and the new CDD requirements;
- reviewing any relationships which have a connection to a high risk third country and determining if additional EDD measures are required for MLD5; and
- monitoring regulatory updates for: (i) information regarding reporting discrepancies to Companies House; (ii) updates to JMLSG guidance; and (iii) lists of prominent UK public functions.