On 20 December 2019, we received a festive treat: the publication of the Money Laundering and Terrorist Financing (Amendment) Regulations 2019 (the “Regulations”).  The Regulations, which will come into force on 10 January 2020, implement the Fifth EU Money Laundering Directive (Directive (EU) 2018/843, “5MLD”)) in the UK, and follow a high level consultation in summer 2019.

The Regulations make some limited but important amendments to the existing Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLR“).  These include an expansion of the scope of the regulated sector, and changes to aspects of regulated firms’ customer due diligence and enhanced due diligence obligations (including, in particular, an important new requirement to make reports to Companies House in relation to discrepancies between information collected during customer due diligence and information on the Persons with Significant Control register).  In this briefing we review the changes and new obligations.

Background: 4MLD/5MLD

The MLR, which came into force in June 2017, implemented in the UK the Fourth EU Money Laundering Directive (Directive (EU) 2015/849, “4MLD“).  This involved a quite significant overhaul of the pre-existing anti-money laundering (“AML“) compliance regime.  5MLD was passed hot on the heels of 4MLD, in the wake of the terrorist attacks in Paris and Brussels, and the outcry following publication of the ‘Panama papers’.  Given this context, 5MLD focused on strengthening some discrete areas of AML compliance rather than changing the overall 4MLD framework.

The Government has also taken the opportunity presented by the Regulations to make some amendments to the MLR to reflect changes recommended by the Financial Action Taskforce (“FATF“) in their mutual evaluation review (“MER“) of the UK in December 2018.

In theory, all EU member states should implement these requirements by 10 January 2020 and some have done so; but many countries were late in implementing aspects of previous money laundering directives, and this is likely to be the case in relation to 5MLD also.

Scope of the AML regulated sector

The Regulations will extend the scope of the MLR so that additional types of firms will become subject to AML compliance requirements (i.e. will be required to have AML policies, procedures and controls, conduct customer due diligence, keep records, train staff, and so on).

The four new types of regulated business are:

  • Lettings Agents – this includes persons acting on behalf of either landlords or tenants, but only where agreements are concluded for the letting of land (including buildings) for a term of a month or more and a monthly rent (at any point during the term) of EUR 10,000 or more. Certain exclusions apply, for example in respect of businesses which only publish lettings advertisements.
  • Art market participants – this comprises (a) persons who by way of business trade in, or act as intermediaries in, the sale or purchase of works of art in respect of transactions amounting to EUR 10,000 or more, and (b) the operators of freeports, who store works of art worth EUR 10,000 or more in the freeport.
  • Cryptoasset exchange providers – this comprises persons who, by way of business, exchange, or make arrangements to exchange, cryptoassets for money, money for crypto-assets, or one cryptoasset for another, and persons who operate machines which use automated processes to exchange cryptoassets for money (or vice versa). As foreshadowed in the Government consultation, and in line with the FATF Recommendations, this ‘gold-plates’ the requirements of 5MLD, which focus on fiat-virtual currency exchangers and do not cover virtual-virtual currency exchangers.
  • Custodian wallet providers – this comprises persons who, by way of business, provide services on behalf of customers to safeguard, or safeguard and administer, either private cryptographic keys (in order to hold, store and transfer cryptoassets) or cryptoassets.

Cryptoasset exchange providers and custodian wallet providers (“cryptoasset businesses“) will be supervised by the FCA, whilst art market participants and letting agents will be supervised by HMRC (in the case of letting agents, to the extent they are not supervised by a relevant professional body).  The FCA must maintain a register of cryptoasset exchange providers and custodian wallet providers, whilst HMRC may do so in relation to art market participants and letting agents.

Regulation 56 prohibits certain parts of the AML-regulated sector (including the newly regulated cryptoasset businesses) from conducting business without being registered.  Thus, new cryptoasset businesses (i.e. those that intend to carry on a cryptoasset activity after 10 January 2020, but do not currently do so) must be registered before they can carry on the activity.  However, regulation 56A sets out transitional provisions for pre-existing cryptoasset businesses.  Broadly speaking, the regulation 56 prohibition will only apply from the earlier of (a) 10 January 2021, or (b) a decision by the FCA to register or not register the business taking effect.

The FCA has indicated that its Gateway will open for cryptoasset businesses to submit applications for registration from 10 January, and that 30 June is the latest date for applications to be received for priority review.  10 October is the latest date for complete applications to be submitted in order to be determined by the 10 January 2021 cut-off date (when existing firms must stop trading if they are not registered).

Finally on scope, the definition of a “tax adviser” has also been expanded from those who provide “advice about the tax affairs of other persons” to those who provide “material aid, or assistance or advice, in connection with the tax affairs of other persons, whether provided directly or through a third party”.

Obligations on regulated firms: policies, controls and procedures

In addition, to expanding the scope of the regulated sector, the Regulations make some changes to the obligations to which all regulated firms are subject.

In relation to systems and controls requirement, the Regulations make the following changes:

  • Firms have an existing obligation to have policies, controls and procedures (“PCPs“) which provide for the identification and scrutiny (a) of transactions which are complex and unusual large, or (b) unusual patterns of transactions, in either case if the transaction(s) have no apparent economic or legal purpose. This obligation has been redrafted to require firms to have PCPs relating to the identification and scrutiny of transactions which are complex or unusually large or unusual patterns of transactions or which have no apparent economic or legal purpose.  This is an unhelpful amendment for firms which routinely deal with complex transactions – for whom the complexity may be normal and may not reflect any elevated money laundering risk.  It is to be hoped that guidance will in due course support a proportionate approach to the interpretation of this recast obligation.
  • The requirement to ensure that, when “new technology” is adopted by the firm, appropriate measures are taken to assess and, if necessary, mitigate any money laundering/terrorist financing (“ML/TF“) risk has been extended to cover the adoption of “new products, new business practices (including new delivery mechanisms) or new technology“. One would expect new product approval processes to already include consideration of ML/TF risk, but this obligation is therefore now more expressly embedded in the MLR.
  • The requirement to establish and maintain group-wide PCPs for information-sharing with other group companies for AML/CTF purposes is expressly extended to include “policies on the sharing of information about customers, customer accounts and transactions”.
  • Training requirements for “relevant employees” are extended to any agents the firm uses in its business whose work is relevant to the firm’s compliance with the MLR or who are otherwise capable of contributing identifying or mitigating MT/TF risk, or preventing or detecting ML/TF.

Obligations on regulated firms: when to conduct CDD

One of the core obligations for AML-regulated firms is to conduct customer due diligence (“CDD“).  With some exceptions, firms are required to conduct CDD: (i) on establishing a business relationship, carrying out  a transfer of funds exceeding EUR 1,000 or where there are suspicions of ML/TF or doubts about documents received; (ii) when carrying out an “occasional transaction” amounting to EUR 15,000 or more; (iii) and to existing customers in certain circumstances.

For the newly regulated firms, there are some specific CDD triggers as an alternative to the usual ‘occasional transaction’ trigger.  These are as follows:

  • Letting agents – must apply CDD measures in relation to the conclusion of a relevant letting agreement (for a term of at least month, at a rent of at least EUR 10,000 in any one month), and must do so in relation to both the landlord and the tenant;
  • Art market participants – must apply CDD measures in relation to the trade of a work of art, where the transaction is worth EUR 10,000 or more, and, for freeport operators, in relation to the storage of a work of art worth EUR 10,000 or more; and
  • Cryptoasset exchange providers who provide machines to exchange cryptoassets for money (or vice versa) – must apply CDD measures to any transactions carried out using that machine. It seems that other cryptoasset businesses would be subject to the normal CDD triggers (for business relationships etc, and occasional transactions, as set out above).

For existing regulated firms, there is only one change to the CDD triggers, and that relates to CDD on existing customers.  At present, CDD must be applied “at appropriate times to existing customers on a risk based approach” and when the firm becomes aware that the circumstances of the customer relevant to its risk assessment have changed.  Two new triggers have been added, such that firms must also conduct CDD:

  • when they have any legal duty in the course of the calendar year to contact existing customers for the purpose of reviewing any information which is relevant to the firm’s risk assessment, and relates to the customer’s beneficial ownership; and
  • when the firm has to contact an existing customer in order to fulfil any duty under the International Tax Compliance Regulations 2014.

For firms which take advantage of the e-money purse limit exemptions in regulation 38, there have been a number of amendments to the relevant thresholds.  In particular, to be exempt from CDD in relation to electronic money, the maximum amount which can be stored electronically has been reduced to EUR 150 (it was previously EUR 250, or EUR 500 for products that could only be used in the UK), and the maximum limit on monthly payments for reloadable products has been reduced to EUR 150 (which can only be used in the UK).  The exemption from CDD does not apply to any transaction involving a cash redemption/withdrawal where the amount redeemed exceeds EUR 50 (the limit was previously EUR 100).

Content of CDD: what do firms have to do

In relation to the question of what CDD measures need to be taken, there are two amendments of significance:

  • Where a UBO cannot be identified: where a firm has not succeeded in identifying the beneficial owner (“UBO“) of a customer which is a body corporate despite exhausting all possible means of doing so, the firm must take reasonable measures to verify the identity of the senior person in the body corporate responsible for managing it. Previously, the firm had the option of treating a manager as a UBO, but was not required to do so.  The firm must also keep records in writing of the actions taken to do so and any difficulties encountered, and records of all actions taken to identify the UBO.
  • Checking the PSC register: Before forming a business relationship with certain types of legal entity which are required to file information on their Persons with Significant Control (“PSCs“) with Companies House, firms will be required to collect proof of registration or an excerpt from the register. Firms will then be subject to an obligation to report discrepancies between the information on Companies House and the beneficial ownership information they receive when conducting CDD, as discussed further below.

The following changes have also been made:

  • Understanding customer’s control structure: It has been made clearer that, where the customer is a legal person, trust, company, foundation or similar legal arrangement, the firm must take reasonable measures to understand the ownership and control structure of the customer. (This was already a requirement where the customer was beneficially owned by a company etc, and is a step that firms routinely take in any event).
  • Electronic ID: The MLR now expressly reflect that, for CDD purposes, information may be regarded as obtained from an independent and reliable source if it is obtained by an electronic identification process (including by using electronic identification means or a trust service within the meaning of EU Regulation No 910/2014) which is secure from fraud and misuse and capable of providing an appropriate level of assurance that the customer is who they claim to be. Note that this provision does not mandate the use of electronic identification checks – it simply reflects that checks meeting the appropriate standard are capable of meeting CDD requirements.

Enhanced due diligence

Changes have also been made to firms’ enhanced due diligence (“EDD“) obligations.

High risk third countries

An area of much focus during the consultation period was the obligation under 5MLD to apply EDD to a transaction “involving” a high risk third country (“HR3C“).  This had the scope to significantly expand the pre-existing obligation, which was to apply EDD to customers established in a HR3C.  The expected impact was exacerbated by the fact that 5MLD adds to the list of EDD measures which must be applied in such cases, and the continued review at EU level of the list of HR3Cs (readers of this briefing may recall the controversy when Saudi Arabia and certain offshore US territories were almost added to the list).  This has led to much debate about how best to interpret the word “involving”.

As implemented in the MLR, the requirement will be to apply EDD:

  • In a business relationship with a person established in a HR3C (this is as before, but there is now a definition of what being “established in” a HR3C means: it is a company incorporated in the country, a credit or financial institution having its principal regulatory authority in that country, or an individual resident in that country); and
  • In relation to any “relevant transaction”, which is defined to mean a transaction in relation to which the firm is required to apply CDD measures under regulation 27 (which would therefore appear to cover occasional transactions over the relevant value thresholds and not carried out in the course of a business relationship), where either of the parties to the transaction is established in a HR3C.

This is broadly helpful – the intention appears to be to find a proportionate way to implement the new obligation, and it is clear that not every transaction with a nexus to a HR3C will trigger EDD, which was the original concern.  Nonetheless, firms will need to consider whether they have appropriate processes to identify transactions that will now trigger these EDD requirements.

Where EDD is necessary because a customer is established in a HR3C or a relevant transaction involves a customer or counterparty in a HR3C, the EDD measures required are:

  • Obtaining additional information on the customer and the customer’s UBO;
  • Obtaining additional information on the intended nature of the business relationship;
  • Obtaining information on the source of funds and source of wealth of the customer;
  • Obtaining information on the reasons of for the transaction;
  • Obtaining the approval of senior management for establishing or continuing the business relationship; and
  • Conducting enhanced monitoring of the business relationship by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination.

High risk factors

Regulation 33 lists various (non-exhaustive) customer, delivery channel, and geographical risk factors which firms must take into account in assessing whether a particular situation presents a higher ML/TF risk, and the EDD measures that should be taken to mitigate such risk.

These risk factors have been supplemented to add the following:

  • The customer is the beneficiary of a life insurance policy.
  • The customer is a third country national applying for residency or citizenship in an EEA state in exchange for transfers of capital, the purchase of property, government bonds or investment.
  • There is a transaction related to oil, arms, precious metals, tobacco products, cultural artefacts, ivory and other items related to protected species, or other items of archaeological, historical, cultural and religious significance, or of rare scientific value.

Firms will need to ensure that any risk assessment processes incorporate these new risk factors.

Other EDD requirements

There are two other EDD-related changes.

First, there is a small but important amendment, mirroring one discussed above in the context of PCPs.  Firms were required to conduct EDD on complex transactions, unusually large transactions, and transactions in an unusual pattern, if the transaction(s) had no apparent economic or legal purpose.  As a result of an “and” becoming an “or”, there will now be a requirement to conduct EDD on all complex transactions, all unusually large transactions, and all unusual patterns of transactions, in addition to all transactions which have no apparently economic or legal purpose.  As noted above, it is to be hoped that any updated guidance might assist in the interpretation of the word “complex” – for example, by focussing on transactions which are complex in the context of a particular firm’s business.

Secondly, there is also a new express requirement for credit and financial institutions, where the customer is  a corporate entity/legal arrangement and is the beneficiary of a life insurance policy, and the customer presents a high risk of ML/TF, for the institution to take reasonable measures to identify and verify the identity of the UBOs of the beneficiary before any payment is made under the policy.

Anonymous pre-paid cards: credit and financial institutions acting as acquirers

Pursuant to new reg.38(4A), credit and financial institutions who act as acquirers for payment using an anonymous prepaid card issued in a third country are required only to accept payment where the anonymous prepaid card is subject to requirements in national law having equivalent effect to the MLR and the anonymous prepaid card satisfies those requirements.  In this context, “acting as an acquirer” means acting as a payment services provider contracting with a payee to accept and process card-based payment transactions resulting in a transfer of funds to the payee.

This particular provision will not be brought into force until 10 July 2020.

Reporting discrepancies in beneficial ownership information to Companies House

One of the more controversial aspects of the Regulations, but one which flows directly from 5MLD, is the new obligation for firms to report “discrepancies” between information which corporate customers have filed with Companies House and information which the firm obtains when conducting CDD or “which otherwise becomes available to the [firm] in the course of carrying out its duties under [the MLR]”.  In effect, the exercise of policing the information submitted by companies to Companies House has been outsourced to the private sector.

Such reports will be made to Companies House.  The MLR then require the Registrar to take such action as s/he considers appropriate to investigate and, if necessary, resolve the discrepancy in a timely manner.  By virtue of an amendment to the Companies Act, the registrar is given power to remove material from the register if that is necessary in order to resolve the discrepancy.  In the meantime, the reported discrepancy is excluded from public inspection (i.e. it will not appear on Companies House records).

At the time of writing this briefing, additional guidance was awaited from HM Treasury/Companies House in relation to the practical operation of these provisions – notwithstanding that they will come into force tomorrow.  At present, unanswered questions include the following:

  • How such reports must be made (via email, online form, etc);
  • The timescale within which reports such must be made;
  • Given that the definitions of a PSC for the purposes of the companies legislation and a UBO for the purposes of the MLR are slightly different, how firms should treat and how the Registrar will treat any “discrepancies” which simply reflect those different definitions;
  • Whether firms can and should communicate to their customers that they will be reporting a discrepancy.

These issues were raised in a number of consultation responses last year.  Such responses also noted the desirability of protecting firms from liability where discrepancies are reported in good faith, and concerns regarding the interaction of the discrepancy reporting obligations and the tipping off offence (if money laundering is suspected).  At the date of writing, the government had not published a consultation response and its website continues to indicate “We are analysing your feedback: Visit this page again soon to download the outcome to this public feedback”.

Register of trust UBOs: watch this space

As readers will be aware, one important change under 5MLD was a significant expansion to the register of UBOs of trusts and similar legal arrangement (which is currently maintained in the UK by HMRC, through the Trust Registration Service, and which unlike the PSC register is not public).  Under 4MLD, the registration requirement was triggered “when the trust generates tax consequences”, a concept implemented in the UK via the concept of a “relevant trust” in regulation 42.  Under 5MLD, the register will be expanded to cover all “express trusts”, and the information will be available, inter alia, to competent authorities, firms conducting CDD, and any person that can demonstrate a legitimate interest.

These changes are of particular significance for the UK, given the widespread use of trusts in our legal system.

The 2019 consultation made various proposals regarding the implementation of the expanded register, but indicated that a more detailed technical consultation would be run by HMRC later in the year.  That consultation has not yet been published, and the trust register requirements have not been implemented in the Regulations.

The government has until 10 March 2020 to implement these changes and, if that deadline is to be met, any HMRC consultation will presumably need to be issued in the very near future.

Requests for information about bank accounts and safe deposit boxes

New regulations 45A to 45H implement the 5MLD provisions which require member states to establish centralised automated mechanisms, such as central registries or central electronic data retrieval systems, to allow for the identification of bank and payment accounts and safety deposit boxes.

The UK has not established a central register in this regard.  Instead, the Regulations place a duty on the Secretary of State or the Treasury “to ensure that a central automated mechanism…is established for making and responding to requests under this Part”.  The nature of the central automated mechanism (“CAM“)  is not further addressed in the Regulations, but there are additional provisions setting out some further specificity regarding who will be able to make through the CAM when it is established, in what circumstances, and what information can be requested.  These provisions are summarised below.

  • When do the provisions come into force? New Part 5A of the MLR, which contains the provisions summarised below, comes into force on 10 September 2020.
  • To whom are these provisions relevant? The only firms that can be subject to requests via the CAM are (a) credit institutions, and (b) credit or financial institutions which make available safe deposit boxes to customers in the UK.  Those firms should read on!
  • What new compliance obligations will be imposed?
    • Firms to whom these provisions are relevant (see above) will need to “establish and maintain systems which enable [them] to respond, using the CAM, to a request for information made…by a law enforcement agency or the Gambling Commission”.
    • If firms receive such a request, they must, using the CAM, provide the requested information “fully and rapidly”.
    • Firms must also keep records (in the form of documents or information) of the information which may be subject to a request (see below) for a period of 5 years beginning with the date of closure of the account or safe-deposit box; once this period has expired, records containing personal data must be deleted subject to certain limited exceptions. The retention period mirrors the existing retention record-keeping requirements under the MLR, but firms will need to consider whether they retain the various categories of information which can be requested, and whether they have systems which would enable them to retrieve this and respond rapidly to requests.
  • What information can be requested? The information that can be requested (and to which the new record-keeping obligation therefore applies) is:
    • In relation to an account held with a credit institution, or an account with an IBAN held with a credit union: (a) the name of the account-holder; if the account-holder is an individual, (b) his/her date of birth and (c) address; (d) if the account-holder is a firm, the address of its registered office and (if different) principal place of business; (e) the name of any person purporting to act on behalf of the account-holder; (f) the name and date of birth of any individual with a beneficial interest in the account or the account-holder, and (g) their address; (h) where a firm has a beneficial interest in the account or the account-holder, its name, registered office and (if different), principal place of business; (i) the IBAN; (j) any other number by which the bank identifies the account (e.g. a roll number); (k) the account opening date; (l) the account closure date, if relevant; and (m) any other numbers specific to such individuals (whether the account-holder, person acting on his/her behalf, or UBO), used to verify identity and contained in CDD documents (e.g. a passport or driving licence number).
    • In relation to a safe-deposit box: (a) the name of the customer; if the customer is an individual, (b) his/her date of birth and (c) address; (d) if the customer is a firm, the address of its registered office and (if different) principal place of business; (e) the name of any person (other than employees of the box provider) who the provider knows holds or held a key for the box or has access to it; (f) the date the box was made available to the customer, and when it ceased to be available; (g) any numbers specific to customer or other person with a key/access, used to verify identity and contained in CDD documents (e.g. a passport or driving licence number).
    • Who can make requests? A law enforcement agency or the Gambling Commission.
    • For what purpose can requests be made? The NCA can request information for any purpose in connection with its FIU functions.  Otherwise, law enforcement agencies can only request information in connection with specified types of investigations (including ML, TF and terrorism investigations) or (where relevant) to carry out supervisory functions.  The Gambling Commission can only make requests for the purpose of carrying out its supervisory functions.  There are some limited process requirements prior to a request being made, including approval of a “senior officer”, who must consider whether the request is proportionate.
    • Will there be further guidance? Yes!  But it appears that no-one has yet decided who will issue it – the MLR envisages that guidance will be issued by HM Treasury, or by an “appropriate body” or the NCA and approved by Treasury.  Firms and law enforcement “may” then take such guidance into account.  There are also provisions for the NCA to access information about requests and responses for the purposes of preparing guidance or providing anonymised information to the Secretary of State.  The Secretary of State is also required, prior to the end of the first calendar year after the CAM is established and annually thereafter, to review the CAM and publish a report.

Additional requirements for cryptoasset businesses

The newly regulated cryptoasset businesses will be subject to a number of new requirements and supervisory tools, the detail of which is beyond the scope of this briefing, but are summarised here briefly:

  • Disclosure by cryptoasset businesses of FOS/FSCS status to customers: Under new regulation 60A, where a cryptoasset business establishes a business relationship or enters a transaction with a customer that is not within the scope of the jurisdiction of the Financial Ombudsman Service or is not protected by the Financial Services Compensation Scheme, the business must inform the customer of this in advance.
  • Reporting requirements: regulation 74A contains a broad requirement for cryptoasset businesses to provide to the FCA such information as it may direct relating to, amongst other things, its compliance with the MLR.
  • Skilled persons: Regulation 74B entitles the FCA to appoint “skilled persons” to a cryptoasset business
  • Directions: regulation 74C entitles the FCA to impose directions in writing on cryptoasset business to remedy or prevent a failure to comply with the MLR, or to prevent it from being used for ML/TF (although various rights of appeal apply).

Supervision and enforcement

In addition to changes to the compliance obligations for regulated firms, there are some amendments to the provisions relating to the powers and duties of supervisory authorities.

New obligations for supervisory authorities

The obligations imposed on supervisory authorities by regulation 46 are expanded to include: a requirement on each supervisory authority to provide secure communications channels for reporting actual and potential breaches of the MLR; to take reasonable measures to ensure that the identity of whistleblowers are known only to the supervisory authority; and to encourage its supervised sector to report actual or potential breaches (this was previously drafted as the reporting of “breaches”).

Self-regulatory organisations (“SROs“) will come under an obligation to publish an annual report setting out, amongst other things, the steps they have taken to encourage breach reporting, the number of reports received, and the measures taken to monitor and enforce compliance.  Supervisory authorities (including SROs) will also be required to include the amount of human resource dedicated to AML/CTF supervision within the information they are obliged to report to HM Treasury under Schedule 4 of the MLR.

SROs will be expressly required to ensure that potential conflicts of interest within the organisation are appropriately handled.

Finally, there are some limited changes to the provisions relating to cooperation between supervisory authorities and with international partners, a new ”gateway’ created for HM Treasury to disclose to the FCA information provided to it by SROs for the purpose of the OPBAS regime, and a new regulation 52A which addresses the circumstances in which bodies which supervise credit and financial institutions may (and may not) disclose confidential information received in the course of supervisory duties under the MLR.

Approval of BOOMs and fit and proper test

Regulation 26 requires the supervisory authorities of certain types of professional firms to approve their beneficial owners, officers and managers (“BOOMs“).  Letting agents and art market participants will become subject to this requirement, although a transitional provision allows a person to act as a BOOM for these newly regulated businesses if they have made an application for approval by 10 January 2021.

A tweak to the BOOM approval requirements also requires applicants for BOOM approval to provide information which enables the supervisory authority to determine whether the applicant has been convicted of a relevant criminal offence.  Conversely, supervisory authorities are placed under a new duty to take necessary measures to ensure that any application for which the authority grants approval meets these requirements.

Regulation 58 requires the “registering authorities” (the FCA and HMRC) to apply an additional “fit and proper” test when assessing applicants to be registered as Money Services Businesses or Trust and Company Services Providers.  The factors which the authorities will consider in assessing this have been extended to add the question of whether the applicant and any BOOM has adequate skills and experience and has acted and may be expected to act with probity.

The requirement to apply a fit and proper test will also be extended to the FCA’s registration of cryptoasset businesses.  Further, the FCA will have power to suspend or cancel a cryptoasset business’s registration if at any time is satisfied that the business or its BOOMs do not meet the fit and proper requirements.

Publication of directions relating to group-wide compliance

A new provision allows a supervisory authority to publish information about a direction given to a firm in circumstances where the firm has not taken sufficient steps to handle the ML/TF risk relating to the activities of its subsidiaries/branches in third countries whose laws do not permit the application of measures equivalent to those in the MLR.


There are a number of miscellaneous changes.

The joint report which the Treasury and Home Office are required to prepare by regulation 16, setting out the findings of the UK national risk assessment, must now also set out “the institutional structure and broad procedures” of the UK’s AML/CTF regime, including the role of the FIU, tax agencies and prosecutors, and the nature of the measures taken and recourse allocated to countering money laundering and terrorist financing.

The Treasury is required by regulation 21 of the Regulations to carry out a review of the new regulatory provisions and to publish a report relating to the same, the first report being due by 26 June 2022 and subsequent reports required at least 5 year intervals.

Schedule 6A sets out provisions relating to the NCA in its capacity as the UK FIU, in light of recommendations made by the FATF MER, focussed on information sharing between financial intelligence units.


The Regulations could not be published during the purdah period in the run up to the recent General Election, and accordingly the final form of the Regulations have been made available at a very late stage – just 10 working days in advance of coming into force.  Whilst the changes are relatively limited, there are some amendments which will require changes to processes and procedures, and guidance on the discrepancy reporting obligation is still awaited; it is to be hoped that supervisors, in assessing firms’ compliance with the MLR, will recognise that they have been put in a difficult position by these last minute developments.  The FCA’s webpage on the Regulations simply states that “[w]e expect firms to comply with the new, amended regulations from 10 January 2020.  In assessing our approach to firms that may not be compliant on that date, we will take into account evidence that they have taken sufficient steps before that date to comply with these new obligations”.

To the newly regulated sectors: welcome to the world of anti-money laundering regulation!

Susannah Cogman
Susannah Cogman
Partner, London
+44 20 7466 2580
Daniel Hudson
Daniel Hudson
Partner, London
+44 20 7466 2470
Brian Spiro
Brian Spiro
Partner, London
+44 20 7466 2381
Kate Meakin
Kate Meakin
Of Counsel, London
+44 20 7466 2169