Upcoming changes to the Money Laundering Regulations 2017

Part 6: Upcoming changes to the UK’s anti-money laundering regime

In July 2021, HM Treasury launched a new AML consultation entitled ‘Amendments to the Money Laundering Terrorist Financing and Transfer of Funds Regulations 2017’. This consultation outlined ways in which the government intended to amend the UK’s money laundering regulations (MLRs) with several time-sensitive updates. The planned updates are required to ensure that the UK continues to meet international AML standards, whilst also clarifying how the UK’s anti-money laundering and counter-terrorist financing (AML/CTF) regime works. 

The changes to the MLRs have been made through draft secondary legislation entitled ‘the Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022’. Most of the measures in this SI will come into force on 1 September 2022, subject to parliamentary approval

In this series of blog posts, we take a closer look at what these changes will mean for anti-money laundering compliance.

Bank Account Portal (BAP)

The government reviewed the case for building a BAP. Given the uncertainty over the benefits, and substantial cost to the public and private sectors, the government decided against building a BAP. Therefore, the SI will remove the now redundant obligations on the private sector under Part 5A of the MLRs.

Terrorist Financing and Asset Freezing etc Act 2010

Upon leaving the EU, the Terrorist Asset-Freezing etc Act 2010 (TAFA) was replaced by the Counter-Terrorism (Sanctions) EU Exit Regulations) 2019. The reference to TAFA in the MLRs is now redundant and will be removed. This amendment will ensure historic legislation is not referenced in the MLRs. This measure is a minor, clarificatory change and was therefore not included in the SI Consultation Document.

Regulation 15 Exclusions

This measure will amend Regulation 15(3)(f) to include in its reference to relevant persons under Regulation 8(2), AMPs (8(2)(i)), cryptoasset exchange providers (8(2)(j)), and custodian wallet providers (8(2)(k)). Their exclusion appears to have been an oversight from when 5MLD was transposed not to include these activities under Regulation 15(3)(f) and creates a potential loophole, and this measure will close the loophole. This measure was not included in the SI Consultation Document as it was considered to be a minor clarificatory change.

Change in control-cryptoasset firms

Currently, it can take up to 90 days from the date of acquisition to cancel a cryptoasset firm’s registration if the FCA is not satisfied that the firm or its beneficial owner is fit and proper. This leaves a gap in which firms could bypass the MLRs’ registration gateway by acquiring already registered cryptoasset firms, potentially enabling the acquiring firm to undertake illicit activities before the FCA could take action. 

This measure will close this gap by amending Regulation 57 and adding a new regulation, 60B, which will require proposed acquirers of cryptoasset firms to notify the FCA ahead of such acquisitions, allowing the FCA to sufficiently assess the acquirer and providing them with the power to object to any acquisition before it takes place and cancel registration of the firm being acquired.

This measure will come into force as soon as possible once the SI is made.

Notices of refusal to register

This change was consulted on as part of the 2019 Transposition of the Fifth Money Laundering Directive consultation and was therefore not included in the consultation for this SI. This measure will enhance the transparency of the decision-making processes and has been developed with the FCA in tandem with the amendments to Regulations 57 and 59 of the MLRs. This measure will therefore also come into force at the earliest opportunity once the SI is made.

VinciWorks’ AML and SRA training and solutions

SRA compliance solution – personalised training and centralised reporting

SRA compliance solutions

Get your entire firm on board with the SRA compliance process with our complete SRA compliance solution. The SRA puts a significant burden on firms to train their staff on the Standards and Regulations in addition to managing compliance registers and processes such as annual declarations, undertakings, diversity surveys and more. Our SRA compliance suite allows firms to comply with every requirement of the SRA through personalised SRA training and centralised SRA reporting.

Anti-money laundering training and client onboarding solution

Our anti-money laundering training is interactive and customisable for any business and any user, anywhere. Our courses are packed with realistic scenarios, real-life case studies and every customisation option you can think of. We have everything from in-depth induction training to refresher courses and five-minute knowledge checks. 

Our AML client onboarding solution offers one central platform to complete client risk assessments, due diligence and ongoing monitoring. Using Omnitrack, our centralised, flexible tracking and reporting tool, our AML solution enhances both the risk assessment and document collection aspects of client onboarding.

If you are interested in any of our solutions, complete the short form below and a member of our team will get in touch.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.