Getting to grips with KYC post MLR 2017
The fourth EU Money Laundering Directive was passed on 25th June 2015, and a two-year window granted for implementation. The objective of the updated EU directive was to introduce new international standards to combat money laundering and terrorist financing, and to adapt EU rules to new threats and market developments.
In the UK, the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLR 2017) came into force on 26th June 2017 having been laid before Parliament and approved on 22nd June 2017. The regulations transpose the guidelines in the EU Directive into UK Law. Regulated businesses are now faced with the task of ensuring both their firm-wide and client-specific risk assessment processes and Customer Due Diligence (CDD) procedures are sufficiently robust to comply with MLR 2017.
Key Changes to UK Regulations
Amongst other updates, MLR 2017 brought with it numerous updates to the requirements in relation to conducting Due Diligence and KYC. The changes are designed to bring a more robust risk-based approach to the prevention of money laundering and terrorist financing. The new Regulations are detailed, but the main Due Diligence and KYC changes are as follows:
MLR 2017 sets out the procedure that must be taken to analyse a business’s potential exposure to money laundering or terrorist financing. This means that a firm must produce a written AML risk report addressing its customers, countries of operation, products and services, transactions, delivery channels, and the size and nature of the business. The findings of this assessment must then be translated into written policies. This is an enhancement to MLR 2007 which was less prescriptive in its Risk assessment requirements.
Simplified Due Diligence:
A central change introduced by MLR 2017 is that the circumstances in which simplified due diligence can be applied will now become more restricted. In a significant development from MLR 2007, there ceases to be automatic entitlement for simplified due diligence for specific customers. Rather, there will now be a need for customer risk assessments to determine the level of risk posed by a customer (considering types of customers, geographic areas, and products, services, transactions, or delivery channels) and firms will need to provide robust rationale and justification for applying simplified due diligence measures. This is likely to put customer risk assessments under enhanced regulatory scrutiny and increase record keeping controls required in this area.
Enhanced Due Diligence:
Regulation 33 provides a non-exhaustive list of situations where Enhanced Due Diligence (EDD) must be applied. This includes correspondent banking (extended to include relationships between two financial or credit institutions) and Politically Exposed Persons (PEPs). Furthermore, any situation identified as one where there is a high risk of money laundering or terrorist financing; where a transaction or business relationship is established in a high-risk country; or any other circumstances where complex or unusual transactions are involved with no apparent economic or legal purpose, will be subject to EDD.
MLR 2017 now applies the requirements previously applied only to foreign PEPs also to local PEPs. This in practice means EDD requirements for a broader range of individuals who have been trusted with prominent public functions both in the UK and overseas. This change will broaden the scope of application of EDD checks and regulated firms will need to review their existing client portfolio to ensure any domestic PEPs have been categorised correctly
CDD Record Retention:
Firms will be required to retain records of CDD documents and supporting evidence for at least five years after the end of the business relationship or occasional transaction.
Beneficial Owners – Trusts:
The beneficial owner provisions of the Money Laundering Regulations 2017 are broadly the same as before except that there are now more detailed provisions defining the beneficial owners of a trust. In addition to the class of persons in whose main interest the trust is set up or operated (the beneficiaries), the settlor, the trustees and any individual who has “control” over the trust will be beneficial owners.
What steps will financial institutions have to take?
The above changes will prompt regulated firms to re-assess their Anti-Money Laundering and Counter Terrorist Financing policies and procedures, and will have an impact on the degree of KYC procedures and Customer Due Diligence needed:
In order to successfully identify the discrepancy in current policies and procedures, firms may wish to perform a gap analysis against the new regulations for compliance (taking into consideration the updated industry guidance to counter any risk of misinterpreting the new guidelines);
This will lead to reviewing and revising risk assessments, AML policies and procedures, and making updates to reflect these changes accordingly;
KYC policies and documentation should be reviewed and amended, to remove automatic application of Simplified Due Diligence and to take account of the extended requirements for the application of EDD. They will also need to be amended in line with the updated beneficial ownership provisions in relation to trusts. This will be the most significant change in relation to KYC requirements for client onboarding and ongoing KYC monitoring;
Firms will also have to ensure that they are sufficiently resourced to effectively implement the measures required, and to perform any required remediation work. To be prudent, they may also consider adding an audit function to test the new procedures;
Existing training procedures will need to be enhanced to take account of the KYC changes introduced by the Money Laundering Regulations 2017.
It will be important for financial Institutions to ensure that they have fully understood the changes within the regulations and are fully compliant with the new expectations. Previous non-compliance with the AML Regulations has landed some banks with hefty penalties, as can be seen as recently as January 2017, when Deutsche Bank were fined £163,076,224 by the FCA. This fine was for failings related to poor AML controls, one of which was performing inadequate Customer Due Diligence.
With the updated regulations placing more emphasis on risk-based KYC and widening the net for Enhanced Due Diligence it remains to be seen whether this will be a straightforward transition or not, as with double the number of Regulations contained within MLR 2017 than its predecessor, there is considerably more detail to contend with to ensure compliance.
However, as Financial Services firms endeavour to get to grips with the changes initiated by the fourth EU Directive, proposals are already underway for the fifth Money Laundering Directive, with more updates. Proposed amendments include improvements around enhanced controls related to beneficial ownership structures, and stricter measures regarding virtual currencies. And so, the relentless fight against global money laundering continues, bringing with it the ever-changing regulatory framework for KYC and AML.
Colette joined FinTrU in 2017 and currently works as a Team Lead in the KYC Client Onboarding Team for a Tier 1 investment Bank. Colette has 19 years’ experience in the Financial Services sector, most recently within the AML Compliance and AML Risk Management areas. This experience has provided Colette with extensive knowledge and experience in AML legislations, procedures, risk management and people management.
Colette is experienced in the KYC and Customer Due Diligence areas, having provided advisory guidance in relation to KYC, written KYC procedures, completed monitoring and testing on KYC processes and procedures, along with designing and delivering training on CDD and EDD KYC requirements.
Along with her comprehensive AML experience, Colette also holds the ICA Diploma and Advanced Certificate in Anti Money Laundering.