After several weeks of reviewing the new draft legislation implementing the new anti money laundering directive and the Consultation JMLSG guidance, here is my detailed breakdown of the changes that were due to come our way.
By way of a disclaimer, I will point out that even now, less than a month before implementation this is based on draft regulation and consultation guidance. The UK still has the capacity to “gold plate” or change the regulations, to impose stricter requirements upon its firms or to interpret some points differently. Only today does the European Banking Authority’s (EBA’s) consultation on its draft guidance on the use of a risk-based approach to the Wire Transfer Regulations close. Ultimately, until final versions of these documents are released, we run a risk of making changes that do not come to fruition. However, in the spirit of being over prepared rather than under prepared…..
Simplified due diligence
The simplified due diligence (SDD) thresholds for e-money providers are now much more clearly defined and look not just at an annual limit, but now impose initial load and ongoing usage limits that are risk based, based on product features. It was always the case that a firm’s own internal risk assessment needed to assess the overall product as low risk, but little guidance was given on what these risks might be.
Fortunately, these risks have been clarified. Products that allow cash withdrawals now attract a €100 monthly threshold that is likely to impact a number of travel card issuers where individuals will often extract some cash on arrival to pay for taxies or tips etc.
Such firms will also be impacted by new initial load limits, reflecting the risks associated with international usage. Allowances now reflect that UK usage-only cards are allowed a €500 limit, whereas international cards are capped at €250.
The JMLSG also provides further guidance on how client and product risk should be considered, and that a low-risk product alone does not automatically mean that SDD can be applied –
“Firms should not, however, judge the level of risk solely on the nature of the customer or the product. Where, in a particular customer/product combination, either or both the customer and the product are considered to carry a higher risk of money laundering or terrorist financing, the overall risk of the customer should be considered carefully”
Purporting to act on behalf of
This is not necessarily as revolutionary as it might originally seem and firms will likely be taking this step already as part of anti-fraud measures and controls. The current draft MLRs state:
“(10) Where a person (“A”) purports to act on behalf of the customer, the relevant person must— (a) verify that A is authorised to act on the customer’s behalf, (b) identify A, and (c) verify A’s identity on the basis of documents or information obtained from a reliable source which is independent of both A and the customer”
The handling of this will depend on the firm’s current processes and whether they work with intermediaries such as agents or representatives, but also the handling of directors and signatories on forms.
In the first instance, it would be best that firms confirm their contacts at the firm are directors and have signatory powers to bind the client to the contract and, once this is confirmed, to identify and verify the signatory.
The same will be true of agents or intermediaries purporting to act on behalf of individual customers, where firms will have to ensure that a relevant power of attorney etc exists before taking such instructions.
Electronic ID
As I mentioned a few weeks ago, JMLSG Guidance has “softened” slightly, allowing the use of electronic bank statements, providing guidance that “If the document is from the internet, a pdf version may be more reliable.” This is a clear improvement over the previous prohibition on their usage.
In the case of E-ID and the use of third party electronic validations that check electoral registers and credit databases for signs of a footprint, little has changed except that there is now a higher burden on firms to understand the source and type of data that they are validating against.
“Some electronic sources evidencing identity can be created by commercial organisations from a range of other existing electronic material, without any requirement that the source meet particular verifiable performance or other standards in doing so.”
For example, a firm that utilises sources that include social media or other unverified data (such as marketing and media lists) may find that they cannot rely on this in isolation. While the guidance does finally make a nod to social media:
“Given the increasing prevalence of social media data, firms may consider, if felt appropriate, taking such information into account as part of their CDD measures, but should have regard to the risks inherent in the reliability of this data.”
It notes that such data may be unverified or easily falsified. Firms wishing to utilise such data should ensure that it is not taken at face value and has been analysed in some way. For example, Facebook profiles will only be considered where they are greater than two years old or have some analysis carried out to establish their veracity. This may involve scoring the likelihood that such a profile is legitimate or checking that the individual’s photos do not include pictures of cannabis factories etc.
Whatever approach firms take on this matter, it is vital that they document heavily the sources used, the scores apportioned to each factor and the justification taken in choosing a vendor and a scorecard.
The existing provisions for ensuring that individuals verified solely by electronic means are not being impersonated still stand. Firms should be aware that E-ID alone may still create other burdens such as accepting funds from verified sources or verifying their client in some other way (See JMLSG Guidance 5.3.90)
Politically exposed persons
As mentioned previously, domestic politically exposed persons (PEPs) are now in scope and will be considered as a risk. This is no surprise to anyone as under the UK had taken a contentiously soft approach to domestic PEPs, believing them to pose a lower risk. A spate of corruption scandals in recent years means the UK struggled to reinstate this rule, however, a recent FCA consultation has the potential provided some extra help on the matter:
This does, admittedly, mean that there is another risk assessment needed and firms will have to assess each PEP on a case by case basis looking at the geography, openness and the general controls which exist around PEPs, but this does allow a little more freedom to manoeuvre. Either way, where a higher risk PEP is identified, the guidance remains much the same as it did under 3MLD –
“(a) have approval from senior management for establishing or continuing the business relationship with that person;
(b) take adequate measures to establish the source of wealth and source of funds which are involved in the proposed business relationship or transaction with that person; and
(c) where the business relationship is entered into, conduct enhanced ongoing monitoring of the business relationship with that person.”
In effect, take measures to control the risk of bribery and corruption. I would point out as always that handling a PEP does not mean getting the ID of the 13th duke of Argyll, but simply means establishing the source of wealth and more ongoing monitoring and review of the account. Firms with good monitoring systems should be able to create relevant rules to do this.
Risk assessments
Over the past few weeks, I have said a lot about risk assessments. I would like to pretend that this was a clear and intentional steer towards the requirements of the 4MLD but really that was just my own personal love for a good risk assessment. 4MLD was just a side benefit.
The basics have stayed the same, requiring firms to have in place assessments on:
(i) its customers;
(ii) the countries or geographic areas in which it operates;
(iii) its products or services;
(iv) its transactions; and
(v) its delivery channels
This adds a new category of transactions to review. Fortunately, more detail is provided as to the scale and depth of such assessments, with JMLSG guidance now recognising that firms will rate and weight individual factors. Whilst no specific guidance is given on how to score the various elements, the following guidance is at least a start –
– Weighting is not unduly influenced by just one factor;
– Economic or profit considerations do not influence the risk rating;
– Weighting does not lead to a situation where it is impossible for any business to be classified as high risk;
– Situations identified by national legislation or risk assessments as always presenting a high money laundering risk cannot be over-ruled by the firm’s weighting;
– Firms are able to override any automatically generated risk scores where necessary. The rationale for the decision to override such scores should be documented appropriately
This puts to bed the idea that a risk rating can be based on one single factor such as industry. This seems like a sensible approach and one which most firms are likely to see the merits of, as often blanket bans (We don’t touch the adult industry!) are often softened when a large high street retailer is mentioned.
New guidance also explicitly requires that firms have a clear, documented methodology for a risk assessment, –
“A firm must always be able to satisfy itself that the scores allocated reflect the firm’s understanding of ML/TF risk, and it should be able to demonstrate this to the FCA if necessary”
And also that the risk assessments should not be stand alone, but should
“combine risk factors to achieve an overall risk score.”
Similarly to the commentary above around simplified due diligence, firms should ensure that a high-risk clients using a high-risk product are treated differently to low-risk clients using low-risk products etc.
With the increased burden of extra risk assessments also comes more guidance and S33 of the current draft regulations and Annex 4 of the JMLSG provide factors which firms should be considering as part of its risk assessment process. I will not list them all here, as the relevance will vary from industry to industry, but suffice to say firms should conduct a gap analysis of these factors and ensure that they are including them all in a well-documented risk assessment.
Some relief for firms who conduct limited up front due diligence is also provided, with JMLSG guidance stating that:
“a comprehensive risk profile may only become evident once the customer has begun transacting through an account, making the monitoring of transactions and on-going reviews a fundamental component of a reasonably designed RBA”
This suggests that for firms perhaps utilising Simplified Due Diligence, or where limited client profiles exist due to the nature of their product sales an initial trading period can be used to establish a risk profile. Firms wishing to do this must ensure that they have a comprehensive and clearly defined method for risk assessing and profiling their clients after a defined and measurable period.
Group companies
The UK Anti-Bribery Act added an element of extraterritorially to the UK bribery regime, recognising that overseas firms acting on behalf of or controlled by the UK entity posed a risk of being used for facilitation and similar.
The new AML regulations mirror this:
“ Where a UK financial institution has overseas branches, subsidiary undertakings or associates, where control can be exercised over business carried on outside the United Kingdom, or where elements of its UK business have been outsourced to offshore locations, the firm must put in place a group AML/CTF strategy. A firm that is a parent undertaking must ensure that its policies, controls and procedures apply to all subsidiary undertakings and non UK branches”
This will create some interesting obligations on overseas branches, including those firms who have subsidiaries in the US where the requirement to obtain UBO information is lower than UK requirements or in locations where UBO data is not readily available.
Estate agents
I make reference to this here following a query posed to me after the fscom 4MLD update a few weeks ago. The question was, “are letting agents caught under the provisions of the 4MLD”
This is an interesting question and the 4MLD refers back to the Estate Agents Act 1979 (I will admit, not my speciality) which suggests that the work of an estate agent will include anyone who is involved in “transferring or creating, elsewhere than in Scotland, a lease which, by reason of the level of the rent, the length of the term or both, has a capital value which may be lawfully realised on the open market;”
I suspect this means that different levels of letting agent will have different obligations, those offering a purely introductory service to find tenants may not be caught, whereas those offering a full-service approach may be. I will look into this and provide an update at a later date.
Evolution, not revolution
Those of you who were at the fscom update will perhaps have relaxed a little, particularly if you were already in possession of a robust and well-rounded risk assessment process already.
The biggest hit will be for the new entrants previously uncaught by AML regulations and those relying on the SDD provisions which will also no doubt impact all of us the next time we try to obtain a prepaid travel card for holiday.
For those of you already in the industry, clearly, the move is towards firms understanding and mapping risks in far more detail and then generating relevant controls to mitigate those risks. Firms will also need to have a better understanding of how their current systems, such as E-ID, work, what data sources they use and what mitigations those systems provide. This is obviously a good thing and will (Hopefully) help firms understand that systems may not always be as effective or robust as they first thought.
The key next steps are for firms to conduct a gap analysis of their current processes versus the requirements of 4MLD and to start plugging those gaps!