Money Laundering Regulations 2017 – part 2: Customer Due Diligence and more

The objective of the MLR17 is “to make the financial system a hostile environment for illicit finance while minimising the burden on legitimate businesses”. The impact assessment shows a net direct cost to businesses of £5.2m pa… so don’t expect the MLR17 burden to be any lighter than their predecessor’s.

In this blog post, I summarise the key changes in the MLR17 affecting day-to-day activities, including:

  • Focussing the customer due diligence (“CDD”) more squarely onto risks
  • A need to refresh the risk assessment process
  • More than ID checks are required to complete CDD
  • How the impacts of the enlarged definition of a PEP can be managed
  • A simultaneous easing and toughening of the reliance provisions
  • Necessary additions to engagement letters and other letters to insolvents

My earlier blog post reviewing the MLR17’s effects on firms’ systems and controls can be found at: https://thecompliancealliance.co.uk/blog/legislation/mlr17-part-1/

 

Customer Due Diligence: a clearer objective?

For most intents and purposes, the MLR07 CDD requirements boiled down to identifying and verifying identities. Ok, there was also the need for a risk-based assessment, but it seemed that the objective of this was only really to determine the extent of checks employed in the CDD process.

I think the MLR17 provide a welcome adjustment in the emphasis. For example, in setting out the enhanced due diligence (“EDD”) process, Reg 33 puts the risk assessment in the following context:

“When assessing whether there is a high risk of money laundering or terrorist financing in a particular situation, and the extent of the measures which should be taken to manage and mitigate that risk…”

This thought – that the focus of the risk assessment is to consider the risk that “a particular situation” gives rise to a high risk of money laundering or terrorist financing – is repeated elsewhere and emphasises the need to manage and mitigate the risk e.g. of becoming an unwitting “enabler”. Realistically, how far does simply identifying who we’re dealing with get us in this process?

I do understand that money launderers generally want to work under a cloak of anonymity, so getting to the root of who really is behind a company and in the process showing customers that we’re serious when we carry out CDD help manage and mitigate the risks: money launderers may go looking for a less diligent professional. But what really are the risks of the particular situation of an insolvency?

If we’re being appointed over a dead company with few assets, what are the risks of money laundering or terrorist financing? If there have been any such activities, they will only be historic, won’t they? There will be negligible, if any, risk that any such activities will continue under our watch. So in what ways can – or should – any risks be managed or mitigated? Increasing the extent of identity checks we carry out surely won’t help; it may only give us more information to add to a SAR, if we develop suspicions about past events.

Although the new CDD requirements of the MLR17 will be a pain to complete, I do think they get closer to the nub of the issue: what does the customer do and what do they want us to do for them? In so doing, it seems that the flipside is that, if we have a defunct “customer” who isn’t asking us to do anything risky, then we might find the CDD simpler.

I hasten to add that this post describes purely my own interpretation of the MLR17 (plus some input from Jo Harris). I would be surprised if the RPBs see all the requirements in the same light. Regrettably, it may be a long time before we learn how they think the regulations should be applied, but until they make their expectations clear, I am not sure we can be heavily criticised for trying to do our best.

 

First things first: the risk assessment

Like its predecessor, the MLR17 state that the extent of CDD measures must reflect the level of risk assessed. However, I think the MLR17 far more clearly explain how this risk should be assessed.

For instance, Reg 28(12) states that there are two factors involved:

  • the Reg 18 risk assessment – this is the business-wide risk assessment, which I covered in my last blog; and
  • an “assessment of the level of risk arising in any particular case” – I think this finally answers unequivocally the question of whether a risk assessment needs to be done on court appointments: surely a case-specific risk assessment must be done each time.

Although I think we all developed passable approaches to risk assessments under MLR07, I think that the MLR17 help us much more. Reg 28(13) lists the factors to consider for the risk assessment, but in particular I found Reg 33(6) valuable. This regulation lists potential flags of higher risks, setting them out nicely into three categories:

  • customer risk factors, e.g. where the business is cash intensive;
  • product, service, transaction or delivery channel risk factors, e.g. where payments are received from unknown or unassociated third parties; and
  • geographical risk factors.

I found a useful exercise was to develop a list of questions that put many of the eighteen Reg 33(6) factors into a practical insolvency context. This generated several questions that were similar to the MLR07, but I discovered that the emphasis on whether ongoing insolvency engagements could lead to encounters with money launderers emerged strongly.

At the other end of the spectrum, Reg 37(3) is helpful in assessing cases for low risk. This regulation lists another fifteen indicators of potential low risk, categorised into the three headings above, some of which similarly can be converted into insolvency-relevant questions.

As the MLR17 are non-prescriptive however, the warning described at Regs 33(7) and 37(4) should be incorporated somewhere into the risk assessment:

“the presence of one or more risk factors may not always indicate that there is a high [or low] risk of money laundering or terrorist financing in a particular situation”

This will no doubt frustrate those that would much prefer a straightforward way to steer risk assessments to a definitive conclusion, but I think that this final sense-check is valuable, as it is impossible to squeeze all scenarios into a bundle of questions.

 

More steps in the process

The process no longer follows the formula: risk assessment + beneficial owner IDs = CDD. The MLR17 require other information to be examined. For example, Reg 28(3)(b) requires us to “take reasonable measures to determine and verify”:

  • “the law to which the body corporate is subject, and its constitution” (Reg 28(3)(b))
  • “the full names of the board of directors and the senior persons responsible for the operations of the body corporate” (Reg 28(3)(b))

Personally, I do wonder how these items can be “verified”, especially the full names of the senior persons – obtaining this information before engagement may be a struggle as it is.

The MLR17 also turn an eye toward a new person not covered by the MLR07: anyone who purports to act on behalf of the customer. Reg 28(10) requires that such a person be identified and their identity verified in all cases.

 

Enhanced Due Diligence

Continuing the theme of a better targeted approach, I like the way the EDD requirements no longer focus simply on increasing the extent of ID checks… although the downside is that the process has become more time-intensive for higher risk cases.

Reg 33(4) states that EDD measures must include:

  • “as far as reasonably possible, examining the background and purpose of the transaction, and
  • “increasing the degree and nature of monitoring of the business relationship in which the transaction is made to determine whether that transaction or that relationship appear to be suspicious.”

Also, Reg 33(5) states that EDD measures may include “among other things”:

  • “seeking additional independent, reliable sources to verify information provided or made available to the relevant person;
  • “taking additional measures to understand better the background, ownership and financial situation of the customer, and other parties to the transaction;
  • “taking further steps to be satisfied that the transaction is consistent with the purpose and intended nature of the business relationship;
  • “increasing the monitoring of the business relationship, including greater scrutiny of transactions.”

In an insolvency context, I think much of this can be translated into asking oneself: why does this “customer” want to take this step, does it seem logical in the circumstances or could it be a cover for something more sinister?

 

PEPs: are they high risk?

Well of course, in this non-prescriptive world, the answer to this question is always going to be: it depends.

The MLR17 have widened the definition of a PEP to encompass UK PEPs. Therefore, something that for most of us was little more than theoretic under the MLR07, likely will become more of a reality in future. However, PEPs are still likely to pop up only once in a blue moon, which makes it tricky to design systems to accommodate them without overcomplicating processes for the 99.9% of cases.

  • Additional steps for PEPs and PEP connections

In all cases where a PEP or PEP connection (i.e. family member or “known close associate” of a PEP) has been spotted, the MLR17 require the following steps:

  • Assess the associated risk level and tailor the due diligence measures accordingly;
  • Obtain approval from “senior management” in establishing or continuing the business relationship;
  • “Take adequate measures to establish the source of wealth and source of funds which are involved in the proposed business relationship or transactions with that person”; and
  • Conduct enhanced ongoing monitoring of any business relationship.

So what do you do if the daughter of a domestic Supreme Court judge wants you to help wind up her insolvent company? Does she really present a high risk? Do you really need to go through all those steps?

  • FCA enlightenment on UK PEPs

The FCA has produced some useful guidance on dealing with PEPs: https://goo.gl/WW2WY1

Understandably, the FCA emphasises the value of the first step: the risk assessment. Helpfully, the guidance states:

“A PEP who is entrusted with a prominent public function in the UK should be treated as low risk, unless a firm has assessed that other risk factors not linked to their position as a PEP mean they pose a higher threat”

This demonstrates to me the pointlessness of this MLR17 change wrapping in domestic PEPs: it has added to the nonsensical bureaucracy, as we now need to (i) note UK PEPs; (ii) consider whether they are low risk; (iii) decide in most cases that they are low risk; (iv) but nevertheless work through the other steps listed above.

If a PEP is low risk, then how practically should we work through the other steps? The FCA suggests:

  • “Senior management” approval need not be at board level; it could be the MLRO.
  • “Take less intrusive and less exhaustive steps” to establish the sources of wealth and of funds; “only use information available to the institution… and do not make further inquiries of the individual unless anomalies arise”.
  • Ongoing monitoring could be, “for example, only where it is necessary to update customer due diligence information or where the customer requests a new service or product”.

Oh well, that’s alright then! Thank you FCA, for bringing a note of reasonableness to the proceedings.

Of course, if a PEP is considered high risk – based, as the FCA points out, on who they are, where they are, and what they want from you – it is only right that additional measures are applied. But, I think that, unless you work in a market that means you encounter PEPs relatively frequently, other than ensuring that staff are alert to the complications arising from PEPs and giving them a place to go when one is spotted, practically on a day-to-day basis there is little point in layering on procedures to deal with PEPs.

 

Reliance on other people’s due diligence: made easier or tougher?

On the one hand, relying on another MLR-regulated person’s customer due diligence checks has been made easier. There is no longer a two-tier supervisory body system, which under the MLR07 meant that an ICAEW-licensed IP could be relied upon, but an IPA-licensed IP could not. Now, the work of any MLR-regulated persons (e.g. including casinos), as well as some overseas equivalents, may be relied upon.

However, there is one new requirement that almost entirely negates this advantage: Reg 39(2) states that the person seeking to rely on another:

“must immediately obtain from the third party all the information needed to satisfy the requirements of regulation 28(2) to (6) and (10) in relation to the customer, customer’s beneficial owner, or any person acting on behalf of the customer”

In other words, you must obtain from the person on whom you are seeking to rely all the information that you would otherwise gather yourself to complete customer due diligence. It also doesn’t avoid the need to carry out a risk assessment or deal with ongoing monitoring. So what is the point of relying on someone else to do some of the work for you, especially when you remain liable for any failure of the relied-on person to conduct appropriate due diligence? You might as well collect the due diligence information yourself, mightn’t you?

 

Additions to engagement letters… and more?

Reg 41(4) states that;

“Relevant persons must provide new customers with the following information before establishing a business relationship or entering into an occasional transaction with the customer:

(a) the information specified in paragraph 2(3) in Part 2 of Schedule 1 to the Data Protection Act 1998 (interpretation of data protection principles);

(b) a statement that any personal data received from the customer will be processed only for the purposes of preventing money laundering or terrorist financing, or as permitted under paragraph (3).”

In other words, the required information is:

  • The identity of the data controller;
  • The identity of any representative nominated by the data controller; and
  • The purposes for which the data are intended to be processed (including the statement required by Reg 41(4)(b) above).

Complying with this requirement seems fairly straightforward when appointments are preceded with an engagement letter to the insolvent/MVL-seeker: the above information likely would feature in the engagement letter.

  • Is a bankrupt a “new customer”?

What if there is no engagement letter with the “customer”? Does this requirement still apply in bankruptcies, compulsory liquidations and creditor-led Administrations?

Who is the customer in a court or creditor-led process? The old CCAB guidance states: “In the context of insolvency work, the person or entity entering into the business relationship is considered to be the insolvent.” Although I think this was generally accepted and just-about manageable for the MLR07, the shoe-horning of regulations designed for a client-provider relationship into an insolvency context becomes a little more painful with the MLR17.

Are we really expected to view a bankrupt as a “new customer” for the purposes of Reg 41(4)? Do we really need to provide them with the above information? I guess we can add the information to our on-appointment letters to insolvents, but we cannot write to them before establishing the business relationship, i.e. before being appointed as office holder, can we?

Ah but doesn’t the CCAB Guidance give us a back-stop guide of 5 working days after appointment to complete the due diligence? This is true, but this provision related to the timescale for completing the CDD in view of the fact that the MLR07 had stated that in some circumstances the due diligence could be completed as soon as practicable after first contact – a concession that is repeated in the MLR17 – but we’re not talking about the due diligence process here. The MLR17 do not provide an asarp exception to providing the above information before establishing the business relationship, so I cannot see a practical way for us to comply with Reg 41(4) in most court or creditor-led appointments.

 

Not written with IPs in mind

The MLR17 repeat their predecessor’s deficiency in demonstrating ignorance of the mechanisms of the insolvency regime. I have always objected to the assumption that the insolvent is an IP’s “customer”, especially when I remember that technically under the MLR07/17 an IP is only carrying out regulated activities when s/he is formally appointed. Further questions about the drafter’s knowledge came to my mind when I read the new definition of an IP in the MLR17: not only an individual, but also “any firm… who acts as an insolvency practitioner within the meaning of section 388 of the Insolvency Act 1986” – that would be a clever trick!

In my view, the MLRs’ concept of a “business relationship” also has never really worked: what “business relationship” does the IP form with the insolvent when s/he takes office? And the suggestion that an IP engages in an “occasional transaction” when s/he sells an insolvent’s assets is another cruelty on the English language: is it the insolvent or the IP that is carrying out the transaction? An “occasional transaction” is defined as “a transaction which is not carried out as part of a business relationship”, but the IP is considered to have a “business relationship” with the insolvent, so where does the asset sale fit in?

Is there no useful guidance for IPs? In my view, the CCAB Guidance touches on insolvency far too lightly and the Insolvency Service’s and R3’s Guidance notes are showing their age; both have the air of guidance written when the MLR07 were little more than theory. Let’s hope that we will one day receive some authoritative guidance that demonstrates a proper and practical understanding of how the MLR17 should be applied to the insolvency regime.