Proliferation financing – new rules in force

New requirements for money laundering regulated entities

Legislative background

A series of amendments to the UK Money Laundering Regulations 2017 came into force 1 September 2022. The Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022 include an obligation for regulated entities to identify, assess and mitigate the risk of proliferation financing (PF). We have further detailed guidance on these amendments here.

Regulated entities have the flexibility to create a new risk assessment on PF, or to incorporate proliferation financing into their existing money laundering and terrorist financing risk assessments.

The Treasury will conduct a national risk assessment in relation to proliferation financing, and regulated persons will also be required to take appropriate steps to identify and assess the risks to which their business is subject, and to establish and maintain policies, controls and procedures to mitigate and manage these effectively.

Who is required to comply?

According to FATF standards, all persons which are regulated entities, including credit institutions, financial institutions, estate agents and others, will be required to assess their PF risks. This includes sectors which are likely to pose a low proliferation financing risk. Relevant supervisors are likely to produce sector-specific guidance in coordination with the Treasury. 

What is proliferation financing?

Proliferation financing is defined by the FATF as the provision of funds or financial services used for the manufacture, acquisition, possession, development, export, trans-shipment, brokering, transport, transfer, stockpiling or use of nuclear, chemical or biological weapons and their means of delivery and related materials, including both technologies and dual-use goods used for non-legitimate purposes.

A key focus on preventing the threats posed by Proliferation Financing is the strict implementation of the sanctions regime on North Korea and Iran, as well as preventing chemical weapons activity. 

Sanctions laws apply to all businesses. Any business who breaches a UK sanctions regime could be fined or subject to criminal prosecution. Breaching sanctions was recently made a strict liability offence, meaning a business only has to have breached the law to be liable for a penalty, there is no requirement for intent. 

How can proliferation financing occur?

Because proliferation financing is a financial crime, it can affect any business. In fact, those involved in PF are more likely to target smaller companies or those with less robust procedures.

Insuring a North Korean ship

A UK-based specialist underwriter was provided with a re-insurance policy for a vessel which had links to North Korea. This was presented through a subsidiary based in a third country, and the underwriter provided cover for an insurer in that third country, who in turn insured the vessel.

After it was insured, both the vessel and the owning company were designated by the UN and UK sanctions regimes for involvement in ship-to-sip petroleum transfers with a North Korean flagged vessel. The underwriter was informed of the sanctions breach, cancelled the policy and notified the OFSI. 

Because the insurance policy occurred prior to the application of international sanctions, the policy was then cancelled and no premiums were received afterwards, no sanctions breach occurred. The underwriter was urged to freeze any designated entity premium payments received in the future, however.

Had the insurance policy not been quickly cancelled, it would have posed a serious proliferation financing risk. This is due to the fact the UK underwriter would have facilitated the transport of proliferation-sensitive items and materials, thereby generating funds for the North Korean regime and furthering proliferation.

The business could have faced a range of penalties, including a monetary penalty of up to £1m or 50% of the value of the breach, whichever was higher.

Covering up Iranian procurement

A UK national was successfully prosecuted for their involvement in the purchase of US and Russian aircraft parts for Iran. The UK national worked for a Singaporean company which procured aircraft parts from the US, imported them to Singapore and diverted the goods to Iran.

The company directors were indicted, and one was prosecuted and jailed in the US. The UK national however subsequently set up front companies in the UK, UAE, Malaysia and the British Virgin Islands to re-establish the illicit procurement network.

The UK company was the ultimate beneficiary through payments made from a Cypriot bank account opened by the British Virgin Islands based company. The Malaysian entity then exported the aircraft parts from Malaysia to Iran. The Iranian entities were subject to UN and EU sanctions, and the payments were made through third party Iranian entities via money exchanges in several Middle Eastern countries, before the funds were then sent to Malaysia. 

Lessons from these cases

Procurement financing is as complex and involved as many other types of financial crime and money laundering. Actors will take extensive steps to obscure their activities and ownership, and will manipulate the financial system and legitimate businesses in order to further the proliferation of weapons of mass destruction. 

What to do now

  • Review your business for PF risks with a dedicated risk assessment process
  • Review your AML policies and sanctions policies in light of PF risks
  • Amend your risk assessments to incorporate PF risks
  • Implement specific controls and measures highlighted by the PF risk assessment
  • Record these controls and analyse their effectiveness
How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.