The new Money Laundering, Terrorist Financing and Transfer of Funds (information on the Payer) Regulations 2017 were published on 16 March 2017. I shall refer to them as the MLTFR from here onwards. They come into force on 26 June 2017 after much politically exciting intervention.
Ostensibly adding layers of refinement to a regime that was essentially proving itself to be behind the times, the new MLTFR require the following:
- new risk assessments to be carried out at the levels of
- The Treasury and Home Office (to be completed by 26 June 2018)
- The supervisory bodies
- Relevant persons
- regulators can request to see risk assessments carried out by firms and offer advice as to what else should be included
- risk assessments must take into account client factors, service factors and geographical factors in deciding where the real risks lie
- the appointment of a ‘person responsible’ for AML compliance (besides the MLRO)
- ‘new’ definitions of beneficial owners, new rules on transparency and obtaining information
- ‘new’ definitions of politically exposed persons, with new risk-based rules on how to spot and deal with them
- new client information regarding the reasons why we collect data and its limited use for Data Protection Act purposes
- we can now trust estate agents.
Nothing of major significance has changed – much of the wording of the old rules being retained, though the relevant provisions have moved in the document itself – but the emphasis is much more practical than previously.
In the light of governmentally-expressed concerns about the porous nature of our defences to terrorist finance and laundered money the MLTFR require all parties – law firms included – to assess a range of factors (customer factors, service factors and geographical factors) in determining the extent of the ML/TF risk and the steps that firms need to take in response to them.
For example, the PEP definition now includes UK-based officials, but there is a wide range of assessments one can make about the risks posed by (say) a Nigerian prince, as opposed to a general in the UK army, and the steps that would apply to each of them.
There are also provisions which state that one cannot simply rely on Companies House data as to beneficial ownership (it is not updated quickly enough) but it provides that such data should be provided to a firm by the company within 2 working days of a request.
Further, reliance on estate agents is also now possible – though I doubt whether reliance will be relied upon much more than before.
I think the major pressure on law firms will be, essentially:
- to review internal risk assessment systems and processes to accord with the new provisions and document them
- Consider appointing a ‘person responsible’ for MLTFR compliance in addition to the MLRO (the COLP or COFA should do)
- Seek approval from the SRA of key owners of the firm (though the SRA Suitability Test should suffice for this – watch for SRA announcements)
- Review beneficial owners position (especially regarding PSC Regulations) and request the information
- Review enhanced CDD measures (especially including UK PEPs) and decide when additional measures should be used and, if so, what measures would be adequate
- Revise client information regarding the data protection ‘use’ of the personal data received
- to reinforce my long-held view that it is not the client identification which is the important part (we can all be duped by sophisticated fraudsters) but a full review and assessment of all the surrounding, supporting and peripheral aspects of the transaction and money movements which really matter.
We will await a new Law Society Practice Note with interest, particularly as it is to become the defining document for the whole regulated legal sector, not just solicitors.