On 10 January 2020, updates to the UK anti-money laundering and counter-terrorist financing (together “AML”) laws come into force that bring the UK in line with international standards set by the Financial Action Task Force (FATF) and implement the EU’s Fifth Money Laundering Directive (the “2019 Amendments”).
The updates add new customer due diligence requirements for individuals and businesses subject to UK AML regulations (“Regulated Persons”), including credit institutions, financial institutions, insolvency practitioners, auditors, legal professionals and others.
The updated UK AML regime also now applies to new business sectorsthat will need to develop compliant AML systems and controls for the first time. These include: (i) cryptoasset exchange providers and custodian wallet providers, (ii) letting agents and art market participants in relation to transactions of €10,000 or more, and (iii) a broader category of tax advisors.
Cryptoasset businesses are now also required to register with the Financial Conduct Authority and will be subject to their supervision.
The 2019 Amendments are encapsulated in the Money Laundering and Terrorist Money Laundering and Terrorist Financing (Amendment) Regulations 2019, which amend the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the “Money Laundering Regulations”).
1. Additional Requirements for Regulated Persons
Regulated Persons, including credit institutions, financial institutions, insolvency practitioners, auditors and legal professionals, will now need to comply with additional considerations when conducting customer due diligence and in relation to their internal compliance policies and training.
(a) Beneficial Ownership and Control
Regulated Persons must now:
- take reasonable measures to understand the ownership and control structure of their customers;
- where they have exhausted all possible means of identifying the beneficial owner of a body corporate but have not succeeded, take reasonable measures to verify the identity of the senior person in the body corporate responsible for managing it and keep records of actions taken or difficulties encountered in doing so;
- check beneficial ownership registers and collect proof of registration before establishing a business relationship with entities subject to the People with Significant Control regime, including a company subject to the requirements of Part 21A of the Companies Act 2006, unregistered company, limited liability partnership, or eligible Scottish partnership; and
- report to Companies House any discrepancy they find between beneficial ownership information on the register and any information they collect during the course of conducting their due diligence.
The 2019 Amendments also clarify the circumstances in which electronic identification processes may be taken as a reliable source of a customer’s identity. Use of electronic identification processes for these purposes is permitted where the processes are independent from the customer whose identity is being verified, secure from fraud and misuse, and capable of providing an appropriate level of assurance as to the customer’s identity.
(b) Enhanced Due Diligence
Regulated Persons must now also take into account the following additional high-risk factors when assessing whether enhanced due diligence on their customers is necessary:
- where there is a relevant transaction for which either of the parties to the transaction is established in a high-risk third country (and the amended law now provides a definition of “established in” for these purposes);
- where the customer is the beneficiary of a life insurance policy;
- where the customer is a third country national who is applying for residence rights in or citizenship of an EEA state in exchange for transfers of capital, purchase of a property, government bonds or investment in corporate entities in that EEA state; and
- where the transaction relates to oil, arms, precious metals, tobacco products, cultural artefacts, ivory or other items related to protected species, or other items of archaeological, historical, cultural or religious significance or rare scientific value.
(c) Policies, Controls and Procedures
Prior to the 2019 Amendments, Regulated Persons were required to ensure that their compliance policies include risk assessment measures and, if necessary, mitigation of any money laundering or terrorist financing risks when undertaking “new technology.” This requirement has been expanded under the 2019 Amendments to include new products, new business practices, new delivery mechanisms, or new technology.
At the group level, Regulated Persons that are parent undertakings are required to establish and maintain throughout its group policies, controls and procedures for data protection and sharing information for the purposes of preventing money laundering and terrorist financing with other members of its group. The 2019 Amendments have made explicit that these policies, controls and procedures must include policies on the sharing of information about customers, customer accounts and transactions.
The Money Laundering Regulations have also been expanded to include an obligation on Regulated Persons to ensure that certain classes of agents, as well as their employees, are trained on AML and counter-terrorist financing law and how to recognise and deal with transactions and other activities that may relate to money laundering and terrorist financing. This requirement will apply to agents that a Regulated Person uses for the purposes of its business where the agents’ work is (a) relevant to the Regulated Person’s compliance with the Money Laundering Regulations or (b) is otherwise capable of contributing to the identification, mitigation of risk, prevention, or detection of money laundering or terrorist financing in relation to the Regulated Person’s business.
2. New Business Sectors Now Subject to Anti-Money Laundering Requirements
The 2019 Amendments extend the scope of the Money Laundering Regulations to the following business sectors, which must now also register with the HMRC or the FCA as well as comply with customer due diligence requirements.
|Newly regulated business sector||Business sector definition to fall within the Money Laundering Regulations||Regulator for registration requirements|
|Cryptoasset exchange provider||A firm or sole practitioner who by way of business provides one or more of the following services (including as creator or issuer of any of the cryptoassets involved): |
(i) exchanging, or arranging or making arrangements with a view to the exchange of, cryptoassets for money or money for cryptoassets or one cryptoasset for another; or
(ii) operating a machine that utilises automated processes to exchange cryptoassets for money or vice versa (i.e., cryptoasset automated teller machines).
For these purposes, “cryptoasset” means a cryptographically-secured digital representation of value or contractual rights that uses a form of distributed ledger technology and can be transferred, stored or traded electronically.
|Financial Conduct Authority|
|Custodian wallet provider||A firm or sole practitioner who by way of business provides services to safeguard, or to safeguard and administer: (i) cryptoassets on behalf of its customers or (ii) private cryptographic keys on behalf of its customers in order to hold, store and transfer cryptoassets.||Financial Conduct Authority|
|Letting agent||A firm or sole practitioner who, or whose employees, carry out letting agency work, which means work: (i) done in response to instructions received from a prospective landlord or tenant and (ii) done where there is an agreement concluded for the letting of land for at least a month and at a monthly rent of at least €10,000 during at least part of the term.||HMRC|
|Art market participant||A firm or sole practitioner who: (i) by way of business trades in, or acts as an intermediary in the sale or purchase of, works of art and the value of the transaction, or a series of linked transactions, amounts to €10,000 or more or (ii) is the operator of a freeport that by way of business stores works of art and the value of the works of art stored amounts to €10,000 or more.||HMRC|
The 2019 Amendments also expand the definition of “tax advisor” from a firm or sole practitioner who by way of business provides “advice about the tax affairs of other persons” to include those that provide “material aid, or assistance or advice, in connection with the tax affairs of other persons, whether provided directly or through a third party.”
3. Regulation of Cryptoasset Businesses by the FCA
It is essential that cryptoasset businesses that fall within the Money Laundering Regulations be aware of their new obligations to, and the new powers of, their regulator, the FCA. Key aspects of this new regime include:
- Registration: From 10 January 2020, new cryptoasset exchange providers and custodian wallet providers will be required to register with the FCA before carrying on cryptoasset activity. The FCA has stated on its website that existing cryptoasset businesses which were already carrying out cryptoasset activity before 10 January 2020 may continue their business, in compliance with the amended Money Laundering Regulations, but must register by 10 January 2021 or stop all cryptoasset activity.
- “Fit and proper” test: In order for their registration to be approved, a cryptoasset exchange provider or custodian wallet provider and their officers, managers or beneficial owners must satisfy a “fit and proper” test based on an FCA assessment of their skills, experience and ability to act with probity.
- Additional disclosure requirements: Where a cryptoasset exchange provider or custodian wallet provider establishes a business relationship or enters into a transaction with a customer that arises out of any of its activities as a cryptoasset business that is not subject to the protections of the Financial Ombudsman Service or the Financial Services Compensation Scheme, the cryptoasset business must inform the customer of the position.
- New reporting requirements: The amended Money Laundering Regulations include requirements for cryptoasset businesses to report to the FCA such information as the FCA may direct about their compliance with the Money Laundering Regulations or any other information reasonably required by the FCA in connection with the exercise of its supervisory functions.
- New FCA supervisory and enforcement powers: Under the 2019 Amendments, the FCA has the power to appoint, or require the appointment of, a skilled person to review a cryptoasset business’ AML systems and controls. The FCA also has the power to impose written directions on cryptoasset exchange providers and custodian wallet providers to remedy or prevent failures to comply with the Money Laundering Regulations or other money laundering or terrorist financing risks.
4. New Duty on Credit Institutions to Respond to Requests for Information on Accounts
The 2019 Amendments insert a new Part 5A into the Money Laundering Regulations, which requires the government to establish a central automated mechanism or “portal” for the UK’s Financial Intelligence Unit and competent authorities to access details relating to UK bank accounts, credit union accounts, and safe-deposit boxes. The information that may be accessed via this portal is to include names, dates of birth, and addresses of account holders, as well as of people with beneficial interests in information about the accounts (e.g., account numbers, dates of opening, etc.) and details of any persons with access to or control over the accounts.
The new Part 5A does not impose any additional requirements for institutions to collect data. However, Part 5A imposes a duty on banks, building societies, safe-deposit box providers and some credit unions to establish and maintain systems which enable those institutions to respond to requests made via the portal and to retain records accessible through the portal for five years.
Regulated Persons, including those added under the 2019 Amendments, must comply with the vast majority of the amended Money Laundering Regulations from 10 January 2020. Two notable exceptions are for amended customer due diligence requirements for anonymous pre-paid cards (which do not come into force until 10 July 2020) and the bank account portal regulations under the new Part 5A (which do not come into force until 10 September 2020).