Draft Money Laundering Regulations 2017 released – no CDD exemption for pooled accounts

UK 20 pound notes

On 17th March, HM Treasury released a draft of Money Laundering Regulations 2017, which transposes the Fourth Money Laundering Directive into UK Law. At the same time, the government published a new consultation requesting the public’s view on the draft. Below are the key takeaways.

No automatic exemption from enhanced due diligence for pooled accounts

The Law Society has lost its battle for an explicit assurance that financial institutions can apply simplified customer due diligence to pooled client accounts. SDD will only be permitted when the firms providing pooled accounts are considered low risk.

HM treasury said that “Pooled client accounts could potentially be exploited for money laundering”, citing examples and findings from the Government’s National Risk Assessment on money laundering.

VinciWorks will be updating all of its anti-money laundering courses accordingly and launching a new AML refresher course later in the year.

One-off company formation not exempt from Customer Due Diligence

Against the opinion of many stakeholders, HM Treasury has decided that when a trust or company service provider is asked to form a company, this is to be treated as a business relationship, whether or not the formation is the only transaction being carried out for that customer.

Non-exhaustive SImplified Due Diligence factors

The government has removed the list of products that could be automatically subject to SDD and has included the non-exhaustive list of factors that might warrant SDD under a risk based approach.

Sector-specific risk factors

The government will include sector-specific guidance and more detailed examples for when CDD should be applied.

When to apply CDD during ongoing monitoring

The government requested views on which changes in circumstances should warrant applying CDD measures to existing customers. Some of the factors that emerged were:

  • Name change
  • A change in marital status
  • A change of address could affect risk if it involved moving to a higher risk jurisdiction, or potentially out of their current area, or to a different price range
  • For companies, a change in the corporate structure, or significant change in beneficial ownership
  • A change in vocation or promotion at work for a customer could affect their money laundering risk, such as if the customer became a PEP
  • Where ownership of property changes, or where mortgages are paid off quickly or there is a change in the frequency of payments
  • A combination of two or more changes at the same time

Estate agents

Sub-agents can rely on due diligence carried out by principal agents. Lettings activity will not be covered by the regulations, but an estate agent must apply CDD to both parties in a transaction.

Outsourcing CDD

In certain circumstances, firms may rely on third parties to meet the CDD requirements. In consultation responses and comments at consultation events, the government has been informed that this reliance on third parties is very rarely used. With the ultimate responsibility for meeting CDD requirements remaining with the obliged entity, the responses noted that the risks of relying on a third party are generally greater than the benefits. Some consultation responses noted that one of the barriers to this reliance is that third parties can be slow in providing copies of identification documentation to help identify the customer or its beneficial owner.

Therefore, the government has proposed that a third party must provide necessary documents within two working days.

PEPs foreign and domestic

Politically Exposed Persons now includes domestic citizens as well as foreign ones, but businesses may take a proportionate approach and treat low-risk PEP’s to the lowest level of enhanced due diligence, particularly UK citizens.

Timetable

  • Comments on the new consultation must be submitted by 12 April 2017
  • The changes to national law come into effect by 26 June 2017

Effect of Brexit

According to the government consultation:

Until exit negotiations are concluded, the UK remains a full member of the European Union and all the rights and obligations of EU membership remain in force. During this period the government will continue to negotiate, implement and apply EU legislation.

VinciWorks offers anti-money laundering training

VinciWorks provides online training on anti-money laundering. Our course explains what money laundering is and raises awareness. By taking the training, users will learn to recognise transactions or activities which may be related to money laundering or terrorist financing through real life application of anti-money laundering procedures.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.