The Money Laundering and Terrorist Financing (Amendment) Regulations 2019

Anti-money laundering banner

What lawyers need to know about the transposition of the Fifth Money Laundering Directive into UK law

On 10 January 2020 the Money Laundering and Terrorist Financing (Amendment) Regulations 2019 came into force. This statutory instrument updates the UK’s existing anti-money laundering legislation to take into account the Fifth Directive.

The Anti- Money Laundering (Amendment) Regulations 2019

The 2019 Regulations amend:

  • The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs)
  • The Terrorism Act 2000
  • The Proceeds of Crime Act 2002
  • The Companies Act 2006

What do the Money Laundering Regulations 2019 do?

Among other changes outlined below, the Fifth Directive brings additional businesses into the scope of the anti-money laundering regulatory framework. Described as “obliged entities” in the Fourth Anti-Money Laundering Directive, these are defined as “relevant persons” in the MLRs and as businesses in the “regulated sector” in the Terrorism Act 2000 and the Proceeds of Crime Act 2002.

The requirements of the Fifth Directive transposed by the 2019 Regulations do not allow for the exemption of small businesses or any exemptions based on size.

This statutory instrument requires the Treasury to carry out a review of the regulatory provisions and publish a report setting out the conclusions of the review. The first report must be published before 26 June 2022 to align with the first review of the MLRs. Subsequent reports must be published at intervals not exceeding 5 years.

One minor provision in the Fifth Directive about safe-deposit boxes was required to be transposed by 10 January 2019. This was done by the Money Laundering and Terrorist Financing (Miscellaneous Amendments) Regulations 2018.

New relevant persons

The 2019 Regulations expand the regulated sector, adding new categories of relevant persons subject to the 2017 Regulations, in particular the duty to carry out CDD. This includes cryptoassets dealers, custodian wallet providers, art market participants where the value of the transaction exceeds €10,000 and letting agents where the monthly rent exceeds €10,000. Letting agents must apply CDD measures on both the tenant and landlord. In the UK, there are over 100,000 businesses within the scope of the MLRs.

Identifying ownership

The 2019 Regulations introduces an explicit CDD requirement for relevant persons to take reasonable measures to understand the ownership and control structure of their customers.

Relevant persons must also take reasonable measures to verify the identity of senior managing officials when the beneficial owner of a body corporate cannot be identified.

Electronic identification

The use of electronic identification processes for CDD is permitted where these processes are independent of the person whose identity is being verified, secure from fraud and misuse and capable of providing an appropriate level of assurance that the person claiming a particular identity is in fact the person with that identity.

Beneficial ownership discrepancies

Relevant persons must check beneficial ownership registers of legal entities in scope of the People with Significant Control (PSC) requirements before establishing a business relationship. Where there is a discrepancy between the beneficial ownership information on the registers and the information that is made available to them in the course of carrying out CDD, there is a requirement to report these discrepancies to Companies House. Companies House will investigate and, if necessary, resolve the discrepancy in a timely manner. These reports are excluded from public inspection.

Enhanced due diligence

Enhanced due diligence measures are required for any business relationships with a person established in a high-risk third country or in relation to any relevant transaction where either of the parties is established in a high-risk third country. The European Commission has published a list of 23 countries that are considered high-risk.

Policies

Relevant persons must have policies to ensure they undertake risk assessments prior to the launch or use of new products or business practices, as well as new technologies.

Parent undertakings must also ensure they have group-wide policies on the sharing of information about customers, customer accounts and transactions for AML/CTF purposes.

Relevant persons must also take appropriate measures to ensure agents used for the purposes of its regulated business receive AML/CTF training, ensuring a first line of defence against illicit finance.

Free guide to the Fifth Directive

VinciWorks has created a comprehensive guide on the changes under the Fifth Directive. The guide covers customer due diligence, ultimate beneficial ownership, cryptocurrencies and more. You can download the guide here.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.