Clifford Chance

On 10 January 2020, the bulk of the Money Laundering and Terrorist Financing (Amendment) Regulations 2019 (MLRs 2019), which implement the Fifth Money Laundering Directive (5MLD) in the UK, come into force.

The MLRs 2019 make a number of changes to the existing UK anti-money laundering regime in various areas, including amendments to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs 2017) as well as to related primary legislation including the Companies Act 2006, the Proceeds of Crime Act 2002 (POCA) and the Terrorism Act 2000 (the latter two particularly relevant to suspicious activity reporting by businesses newly subject to AML requirements).

Summarised here are what we see as key takeaways from the amendments.

For existing regulated firms:

Firms that are already regulated will be familiar with the AML regime, and in particular requirements to have in place adequate policies and procedures, due diligence on customers (KYC / KYB) and training. However, there are additional requirements to implement, including:

• Policies, controls and procedures: firms are already required to consider the adequacy of policies, controls and procedures when new technology is adopted, but this has now formally been expanded so that firms are required to ensure that appropriate measures are taken to assess and mitigate money laundering and terrorist financing risk when new products, business practices (including new delivery mechanisms) or new technology are introduced.
• Customer due diligence (CDD) - electronic verification: additional wording is inserted in respect of "verification" of certain customer information obtained during CDD to provide that information may be regarded as obtained from a reliable and independent source where "it is obtained by means of an electronic identification process" which is "secure from fraud and misuse and capable of providing an appropriate level of assurance" of identify. In practice, this indicates a shift towards using electronic verification rather than hardcopy identification documents, but is accompanied by the requirement that the firm must ensure that the tool used is adequate and reliable - which means that a firm cannot rely on using a third party's electronic tools without sufficient oversight.
• Customer due diligence (CDD) – beneficial ownership: firms are required to update their records relating to the beneficial ownership of corporate clients. Further, firms are required to collect proof of registration or an excerpt from the company register for certain entities (which many firms will already be doing), but are also now required to report to the registrar any discrepancy found between information on beneficial ownership gathered by the firm (whether through conducting CDD or otherwise received), and the registration information collected.
• Enhanced due diligence (EDD) – high risk countries: the requirement to conduct EDD for high risk countries has been expanded, so that firms must now conduct EDD not only on any “business relationship with a person established in a high risk third country" but also "in relation to any relevant transaction where either of the parties to the transaction is established in a high risk third country". In practice, this will mean conducting due diligence on individual transactions, or on series of transactions as appropriate on a risk-based approach. A "high risk country" is one identified by the European Commission in delegated acts adopted under the Fourth Money Laundering Directive as a high-risk third country, which currently include the Democratic People's Republic of Korea (DPRK), Iran and others.
• Enhanced due diligence (EDD) – other high risk factors: in addition to the above, the FCA specifically highlights on its dedicated Money Laundering Regulations site other additional high-risk factors firms are required to include when assessing the need for EDD and whether to seek additional information and monitoring in certain cases, including where:
  • the customer is the beneficiary of a life insurance policy;
  • the customer is a third-country national seeking residence rights or citizenship in exchange for transfers of capital, purchase of a property, governments bonds or investment in corporate entities;
  • non-face to face business relationships or transactions without certain safeguards; and
  • transactions related to oil, arms, precious metals, tobacco products, cultural artefacts, ivory or other items related to protected species, or archaeological, historical, cultural and religious significance, or of rare scientific value.
• Training: the existing requirement to provide training for relevant employees has been expanded, so that firms which use agents for the purposes of its business must also provide training to those agents and keep records of that training in the same way as for employees.

For new regulated firms:

Various additional businesses now come within the perimeter of the UK AML regime, which include businesses that will be supervised by HMRC and businesses that will be regulated by the FCA for the purposes of compliance with the MLRs 2017. In addition to letting agents and art market participants, notable new inclusions are businesses which are "cryptoasset exchange providers" and "custodian wallet providers".

• Cryptoasset exchange providers are, firms which exchange, arrange or make arrangements (whether automated or otherwise) for the exchange of money (i.e. fiat currency) and cryptoassets; or of one cryptoasset for another
• Custodian wallet providers are firms that provide services to safeguard, or to safeguard and administer: cryptoassets or private cryptographic keys on behalf of its customers, or which hold, store and transfer cryptoassets.
• "Cryptoasset" means "a cryptographically secured digital representation of value or contractual rights that uses a form of distributed ledger technology and can be transferred, stored or traded electronically”, and includes a right to, or interest in, the cryptoasset for the purposes of cryptoasset service providers.

From 10 January 2020, these firms will be subject to the requirements of the UK AML regime, as amended by the MLRs 2019, and so are required to assess the money laundering and terrorist financing risks they face and fulfil customer due diligence obligations. They will also be required to report any suspicious activity they detect under the suspicious activity reporting (SAR) obligations in POCA 2002 and the Terrorism Act 2000.

These firms are also obliged to register with the FCA during 2020 and to comply with the requirements of the FCA as their regulator more generally. Specifically, the FCA requires:

• new cryptoasset businesses that intend to carry on a cryptoasset activity after 10 January 2020 must be registered before they can carry on the activity; and
• existing cryptoasset businesses which were already carrying out cryptoasset activity before 10 January 2020 may continue their business, in compliance with the MLRs 2017 (as amended), but must register by 10 January 2021 or stop all cryptoasset activity.

Guidance on the amendments made by the MLRs 2019

It is expected that the existing guidance on the UK AML regime will be updated to reflect the changes made by the MLRs 2019 in due course (the Government not yet formally having issued a response to its consultation on transposition of 5MLD which closed in June 2019). In the meantime, on its dedicated Money Laundering Regulations site the FCA highlights some specific new areas that firms need to comply with.

The FCA has said that it has no plan to put out separate guidance on the application of the AML framework to cryptoassets at present, and firms are referred to the existing Financial Crime Guide for (non-crypto specific) examples. We understand that the JMLSG does intend to finalise and publish new guidance by 10 January 2020, although we have not seen this at the time of writing.

Notwithstanding the lack of specific guidance, the FCA is clear that firms which now fall within the scope of the regime must ensure they have systems and controls in place for compliance with AML requirements, stating: "We expect firms to comply with the new, amended regulations from 10 January 2020. In assessing our approach to firms that may not be compliant on that date, we will take into account evidence that they have taken sufficient steps before that date to comply with these new obligations."

Firms must therefore consider the existing framework and guidance, including the relevant sections of the FCA Handbook, the JMLSG Guidance and the FCA's existing guidance (e.g. the Financial Crime Guide) and publications on the subject. Industry publications (such as Global Digital Finance's Code of Conduct for KYC/AML/CTF) may also be of assistance.