The Fifth Directive – The Compliance Officer’s guide to AML

Nick Henderson, Director of Course Development at VinciWorks
Nick Henderson, Director of Course Development at VinciWorks

The UK is obligated to transpose Directive (EU) 2018/843, commonly known as the Fifth Money Laundering Directive (5MLD), into national law by 10 January 2020. Despite Brexit and the flexible date of Britain leaving the EU, the terms of the implementation of 5MLD are set out in the Withdrawal Agreement between the UK and European Commission. Even if such an agreement doesn’t end up being the foundation of Brexit, the 5th Directive will need to become law in the UK.

In April 2019, the UK government launched its consultation on transposing the Fifth Directive into UK law. It contains a number of important expected changes and additional obligations all compliance officers should know about. For those who wish to respond, the consultation is running until 10 June 2019.


5th Money Laundering Directive – Key Changes Compliance Officers Should Know

Here, we provide a comprehensive accounting of all the key changes compliance officers should know about the Fifth Directive.

Training

Obliged entities are already required to train their staff on AML, many of which chose to do so with VinciWorks’ AML training suite. However, the consultation proposes to vastly expand this training requirement. Obliged entities will be required to ensure employees of their agents and sub-agents receive relevant AML training. This will essentially require mapping out all agents, and all of their agents, and ensuring all of those employees receive training.

VinciWorks recommends simply adding those third-party employees in bulk to your existing LMS and AML training plans; or at least planning for a larger AML training budget or contractual obligations with agents to ensure adequate training, if that doesn’t already exist. Remember that the proposed change places the onus on the obliged entity to ensure its agents and sub-agents are trained. It is likely this will have to be demonstrated through training records. This is already outlined in the training requirements of the Money Laundering Regulations 2017.

Try now: Anti-Money Laundering: Know Your Risk

More obliged entities

With thousands of estate agents and law firms being hit with surprise AML compliance checks, ensuring your business is following the correct AML procedures has never been more important. The consultation proposes an expansion of obligated entities to cover an even greater number of businesses.

Tax advisers will become obliged entities under the proposals put forth in the government’s consultation, including sole practitioners who help others with their taxes. Estate agents were required to undertake CDD on both parties of a transaction by the Fourth Directive, but only for the purchase or sale of a property. The money laundering regulations will be expanded to cover letting agents who are involved in rents of over €10,000 per month. However, the government is considering reducing that threshold to cover more properties.

Art intermediaries, including galleries and auction houses, will also become obliged entities for transactions (or linked transactions) greater than €10,000. HMRC will be the supervisory authority for art intermediaries. Although in order to determine which transactions will be subject to AML checks, the government first needs to define what a work of art is, which the consultation seeks to get views on.

Cryptocurrency

Cryptocurrency regulation is one of the biggest changes to be brought in by the 5th Directive. Virtual currencies, most famously bitcoin, will gain a legal definition, as will wallet providers, the brokers of virtual currencies. Both virtual currencies and wallet providers will fall under the scope of AML regulation and will be supervised by the Financial Conduct Authority (FCA).

CDD checks

Client due diligence checks are set for quite a shake-up, given the proposals in the consultation. Obliged entities are currently required to take reasonable measures to verify the identity of a client, but this will be expanded to a requirement to identify beneficial owners, senior managers, the nature of a customer’s ownership and the control structure.

There will also be a requirement to collect proof of a business’ registration, such as through Companies House for public companies, but only for new business, i.e. after the regulations have come into force.

CDD will also become more regular, as it will have to be applied at least once per calendar year when the obliged entity contacts the customer for a renewal of their beneficial ownership information, or when identifying offshore accounts under the International Tax Compliance regulations (DAC2).

EDD checks

Enhanced due diligence measures for high-risk countries are also being tightened under the 5th Directive. Long gone is the whitelist of trusted jurisdictions. The Fourth Directive introduces the concept of risk assessments to identify high-risk countries which should be subject to enhanced due diligence checks. Under the current Money Laundering Regulations 2017, this applies to ‘natural persons or legal entities established in the [high risk] third countries.’ However, this is being expanded to ‘business relationships or transactions involving high-risk third countries’.

The definition of involving will not apply to UK citizens who are dual nationals of said high-risk countries. Nor will the government require the first payment from a new customer to be carried out through an account in the customer’s name as recommended by the Fifth Directive.

Trusts

Dealing with trusts will get more complicated under proposals in the consultation. The government will require all trustees or agents of UK trusts, as well as some non-EU trusts which acquire UK land or property, to register with the HMRC’s Trust Registration Service (TRS) regardless of whether the trust has a UK tax consequence.

These rules will cover discretionary trusts, many types of bare trusts, charitable trusts and employee ownership trusts. However, EU resident express trusts which are already registered in another Member State will not need to re-register in the UK, only provide proof of their registration.

The dates for TRS registration will also be shaken up, with the current annual deadline of 31 January disappearing in favour of a requirement to register 30 dates after the trust is created, along with deadlines of 30 days for updating the TRS of changes to details. Penalties for non-reporting will also come into force, as opposed to the current self-assessment penalty regime.

Criminal checks

Managers and beneficial owners applying to a professional body will no longer be able to self-certify they do not have a criminal conviction. Instead, they must include sufficient information to enable the authorities to make that decision – most likely a criminal record check.

Financial institutions

Financial institutions will be required to carry out risk assessments on all new products, business practices and delivery mechanisms, as opposed to the lack of requirements under current law. Regarding data protection, financial groups will have to implement policies, controls and procedures relating to the provision of customer, accounting and transaction information for AML/CTF purposes.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.