The money laundering regulations 2017 are now in force – are you compliant?

The range of entities that come within the regulated sector has been expanded. The breadth and depth of the CDD that they will be expected to apply has also been extended. There are more particulars within MLR 2017 as to who must be subject to the policies, procedures and controls. Firms will need to embed these changes into their documentation and practices.

Under the Money Laundering Regulations 2007, if a customer or product fell into one of the listed categories (provided that there were no other high risk factors), then firms could automatically apply SDD. This is no longer the case. Firms will now need to assess whether a business relationship or transaction presents a lower degree of money laundering or CTF risk before deciding what due diligence steps to take. Evidencing the approach taken is also important particularly in situations where a firm has determined there is a lower degree of risk and therefore applies SDD.

The application of EDD and enhanced monitoring measures have been extended. The definition of correspondent relationships makes inter-bank relationships potentially high risk. The definition of PEPs now includes domestic as well as foreign ones. A list of high-risk third countries is to be provided by the European Commission. All these changes will have an impact on the risk profile of a customer book, and may require review and possible amendments to existing customer risk assessment methodologies.

CDD measures must be applied to existing customers at appropriate times on a risk-sensitive basis, and in any event, when circumstances relevant to the risk assessment have changed. So a common industry practice has now been embedded into law – but what does this mean for the conduct of periodic reviews, and how do you monitor compliance with trigger event reviews?

The MLR 2017 extends the definition of a PEP to include those individuals who hold a domestic prominent public position (as well as foreign PEPs), members of governing bodies of political parties, and the directors, deputy directors and members of the board or equivalent function of an international organisation. Senior management approval is now required in order to both establish and to continue a business relationship with a PEP, the PEP’s family members and known close associates. However, the extent of the EDD required can be risk based. Key questions for firms to consider include whether screening identifies the right individuals as PEPs, and how to make the EDD more risk sensitive.

Definitions for key terms relating to beneficial ownership have been outlined, including what constitutes a beneficial owner in relation to a trust, foundation or other legal arrangement, or in respect of the estate of a deceased person. The increased detail needs to be reflected in a firm’s policies, procedures and processes, and complied with.

MLR 2017 retains the five years rule for record keeping after the relationship has been terminated. However, MLR 2017 also require that any personal data in the CDD information, and transaction data, that firms are required to retain be deleted after a maximum of ten years. Data retention policies need to be reviewed in order to reflect this requirement and apply the exemptions. Also, given the increasing emphasis on the risk- based approach, the documentation and justification of a firm’s approach to combat money laundering has further increased in importance.

Central to MLR 2017 is the increased emphasis on risk assessment and furtherance of the application of a risk- based approach. It is clear that there is an increasing expectation on firms to determine and document their own risk-based approach in light of the risks they face and keep this up to date. A nuanced, functional risk assessment based on the information in supra-national, national and regulatory risk assessments will be key to tailoring a firm’s controls based on the identified risks.

This has been redefined to broaden a correspondent relationship from the traditional ‘nostro-vostro’ arrangement to relationships between and among financial institutions. MLR 2017 sets out specific and detailed requirements for the due diligence to be conducted before entering into or continuing a correspondent relationship. These include the nature of the respondent’s business, as well as their reputation and the quality of the supervision to which they are subject. Firms must document the responsibilities of the respondent and correspondent. Firms must be satisfied the respondent verifies the identify of customers who have direct access to accounts with the correspondent, conduct ongoing monitoring of such and provide, within a reasonable period of time, the documents or information obtained by the respondent bank when applying CDD measures. Senior management approval must be obtained before the establishment of a relationship. The impact of this broader definition needs to be assessed, policies and procedures updated to reflect these changes and the extension of methods to establish and monitor the required due diligence information must be addressed.