UK AML Regime Review – Key Takeaways for Accountants, Lawyers, TCSPs – Part 2

This is the second part of our report on the key takeaways from the HM Treasury’s review of the UK’s AML/CFT regulatory and supervisory regime. This report, published by the UK government in June 2022, sheds light on the government’s position in terms of changes to money-laundering regulations as proposed by the industry, law enforcement, supervisors, broader public and civic society. Whereas the first post focused on some generic concepts, this second article explains where the government stands in terms of key elements of the Risk-Based Approach (RBA) to AML. In particular, the focus is on areas that are highly relevant to individuals working in DNFBP industries such as accountancy, audit, legal, tax advisory, trusts and company service provides (TCSPs).

A Risk-Based Approach?

The Risk-Based Approach (RBA) is the cornerstone of FATF guidelines. This concept was born out of the need to move away from a prescriptive checklist approach and empower entities (including regulators, supervisors and firms) with the ability to put more resources on higher risk scenarios as opposed to those that are deemed to be lower risk. One major criticism of current regulations is that mandatory requirements are not compatible with the risk-based approach, and some advocated for the complete removal of such prescriptive provisions.

After all, how can firms truly implement an RBA if a connection to a list of high-risk jurisdictions as published by the UK government automatically triggers enhanced due diligence (EDD)? Shouldn’t firms be allowed to decide whether this jurisdiction is high risk for them? What if a client they know is low risk deals with such a jurisdiction – why does that automatically trigger EDD?

The government’s report unequivocally states that it is not considering making major changes to existing regulations, and it is not minded to do an overhaul of mandatory requirements. The rationale here is that the FATF does agree with the inclusion of prescriptive requirements and that given the country’s vulnerability to financial crime, the UK has a duty to be even more forceful than other countries in implementing mandatory requirements. There may be instances where some minor elements may be relaxed, as discussed in our previous article, but the government considers that current regulations provide the right balance between promoting a risk-based approach and ensuring that high-risk scenarios are dealt with effectively.

#6 Key takeaway for your organisation:

AML processes cannot be effective without implementing a risk-based approach that ensures you put more resources on clients that are deemed high risk. However, it is important to adhere to any mandatory requirement put in place within the regulations. Most of these requirements are not going to go away anytime soon.

Does the complexity or size of a transaction matter?

Notwithstanding the reluctance by the government to do away with mandatory requirements, there is one particular scenario that may be reconsidered. Firms are obliged to carry out ongoing monitoring – i.e. they should keep monitoring a client and their activities after the client has been onboarded. One of these requirements is the scrutiny of transactions. This makes sense – an unusually large or complex transaction may raise suspicion of illegal activities. The current regulations, however, go beyond this and mandate that enhanced due diligence be triggered in cases where there is a “complex or unusually large transaction”.

But what does “complex” mean? At what point does the size of the transaction become “unusually large”? And does it even matter? There may be a valid reason for a one-off transaction being an outlier. Why does this necessitate the automatic triggering of EDD?

While the report states that this concept is directly lifted from FATF recommendations, the government does acknowledge that there may be room for improvement in the wording of the regulation and that there is a need to ensure that transactions that are low-risk do not automatically trigger EDD just because they are “complex” or “unusually large”.

#7 Key takeaway for your organisation:

Current regulations do mandate EDD in cases of complex or unusually large transactions. But there may be some subtle changes in the near future.

A PEP is a PEP is a PEP – or is it?

A basic concept of anti-money laundering processes is treating politically exposed persons (PEPs) as high risk. This is because individuals that are entrusted with prominent public functions, together with their families and close associates, could abuse their position for money-laundering purposes or could get involved in corruption and bribery situations. Under current regulations a PEP automatically triggers enhanced due diligence. The FATF however makes a distinction between a foreign PEP and a domestic PEP, with the former requiring a higher level of scrutiny. This makes sense. After all, criminals who are politically exposed may attempt to engage the services of a firm in a foreign jurisdiction where their PEP status may go unnoticed, where they may be out of reach of local legislation or where allegations of bribery and corruption may not be well known.

Locally, the distinction between domestic and foreign PEPs was removed as part of the EU’s fourth Anti-Money Laundering directive, and under current regulations “a PEP is a PEP” and requires the application of EDD. The case for treating domestic and foreign PEPs differently is a strong one. To begin with, the requirement does not stem from FATF recommendations. Moreover, the UK’s National Risk Assessment (NRA) lists the risk from domestic PEPs as being low. The government acknowledges that this may be putting an unnecessary burden on local PEPs who genuinely need the services of accountants, auditors, lawyers and tax advisors. As a result, it is considering removing the automatic triggering of EDD for domestic PEPs, especially in cases where there are no other high-risk factors.

#8 Key takeaway for your organisation:

Under current regulations, EDD needs to be applied in the case of a PEPs; whether the individual resides or holds office in the UK or not. The government is however considering relaxing this prescriptive measure in cases of low-risk domestic PEPs.

High-risk third countries EDD may be too prescriptive

The UK government maintains and publishes a list of high-risk third countries (HRTC) that pose a high money laundering risk due to deficiencies within the country’s AML/CFT controls. This list is composed of countries that are placed on the FATF’s Call to Action list or Jurisdictions under Increased Monitoring list.

AML regulations require that firms carry out enhanced due diligence when dealing with clients established in a country on this list or in cases where a transaction involves a party established in one of these jurisdictions.

The government has acknowledged that not all the jurisdictions flagged as high risk by the FATF pose the same level of risk to the UK. As a result, it is considering updating the criteria used to determine the list of countries on the HRTC list.

Another point discussed in the HM Treasury’s report is that the current regulations go beyond stating that EDD needs to be applied in such cases. The regulations list a very specific set of checks that need to be carried out. This includes obtaining additional information on the customer, their beneficial owners, the nature of the business relationship, the source of funds, source of wealth and the reason for related transactions. Moreover, in such scenarios, organisations are obliged to get approval of senior management to onboard the client or continue a business relationship with the client; and commit to carry out enhanced monitoring on the client.

The government has acknowledged that this list of requirements may be too prescriptive and, in most cases, goes beyond FATF guidelines. As a result, while the government is committed to maintain a list of high-risk third countries, it is considering removing the mandatory requirements associated with these jurisdictions. This would empower organisations to take a more risk-based approach in such situations.

#9 Key takeaway for your organisation:

The list of high-risk third countries (HRTC) needs to be monitored regularly since any business established in these countries automatically triggers EDD. Given that the list is based on lists published by the FATF, organisations should be mindful that this is currently updated three times a year. This may change in the future if the government defines different criteria to determine what jurisdictions are considered high-risk. Another key takeaway is that under current regulations, the EDD checks to apply are prescriptive and very specific. This is a requirement that may change in the future though.

No changes to SDD Regulations

AML regulations stipulate that simplified due diligence (SDD) can be carried out for clients that are classified as low risk. In such scenarios, the regulations still require normal customer due (CDD) to be carried out but the “extent, timing or type” of CDD may be altered. Respondents to the Call for Evidence noted that since all elements of CDD need to be carried out, SDD still requires the same level of resources to implement as CDD; rendering SDD useless.

The government’s position in this regard remains the same, however, and no changes to guidelines are anticipated. This is because the guidelines are deemed to be in line with FATF requirements.

#10 Key takeaway for your organisation:

SDD can be applied in lower-risk scenarios, but all elements of the customer due diligence process need to be carried out. The “extent, timing or type” may allow some flexibility but there are no plans to relax these regulations further.

How much can you rely on reliance?

Reliance is a mechanism by which a firm may rely on another regulated business to carry out relevant due diligence checks. This could in theory simplify the CDD process drastically but the manner in which the regulations are worded decreases its usefulness. For starters, the legal liability for carrying out due diligence rests squarely on the firm providing the relevant service and therefore firms cannot blindly rely on the due diligence carried out by the other firm.

The relying party must ensure they are provided with the ability to immediately access CDD data and documents on request. The term “immediately” may lead to complex data-sharing agreements and may pose challenges from an IT systems perspective. Moreover, given such documents and data need to be retained for a long period of time, commercial and contractual obligations between the parties become more complex. Reliance also does not lend itself particularly useful in terms of ongoing monitoring. Another argument against reliance is the difficulty in aligning risk policies between the two parties because the relying party’s AML policies may dictate that a different set of data or documents is collected as part of the due diligence process.

Given these issues, a lot of businesses are reluctant to enter into reliance agreements. The government, however, stated that reliance should not be used to circumvent customer due diligence obligations in terms of liability, record keeping and data retention. The report states that the current regulations are in line with the FATF position and that the government is of the opinion that these regulations remain in place as is.

#11 Key takeaway for your organisation:

Using reliance to improve the efficiency of your customer due diligence process is encouraged. However, you are still responsible for all customer due diligence; and you need to make sure that your contractual agreement with the other party addresses all regulatory obligations.

Conclusion

In this article we looked at the UK government’s mindset when reviewing the current version of AML regulations. Some of these regulations are expected to remain unchanged. For example, even though businesses may find the regulations around simplified due diligence and reliance as being restrictive, the government is not foreseeing any changes in these areas.

On the other hand, there are a few mandatory requirements that trigger enhanced due diligence that may be relaxed slightly going forward. This includes the treatment of complex and unusual transactions, local PEPs and high-risk third countries. Until the current regulations are in place though, it is important to ensure that the existing legislation is followed.