From June 26th the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) came into force, requiring firms who are subject to the MLR 2017 regulations to apply a comprehensive risk based approach to the risks of money laundering and terrorism financing. The underpinning of this risk based approach is a risk assessment flowing from a country level risk assessment at government level, through to supervisory body risk assessments – e.g. Law Society and Solicitors Regulatory Authority – and, ultimately, down a firm based risk assessment.
In 2015 the UK conducted its most recent risk assessment, with the next full assessment due to be completed by HM Treasury by summer 2018. The UK supervisory authorities are also conducting their review of relevant persons (firms), examining the specific vertical each firm works in and what they should be looking at within the context of their risk assessment. This work is ongoing, with each Supervisory Authority working to different timelines. These factors are likely to have a profound impact on the approach legal and professional services firms take when conducting their own risk assessments as part of their overall risk based approach. Significant changes to Know Your Customer (KYC) policies and operations are inevitable.
Over the course of the last few years there has been a lot of focus within the professional and legal services sector on the EU 4th Anti-Money Laundering Directive which was adopted in 2015. MLR 2017 is the UK’s response to the directive, amending an array of UK legislation and introducing the most widespread change to the UK’s anti-money laundering law in more than a decade. The directive and the resulting MLR 2017 are consistently clear in their message – firms should apply a systemic risk based approach to the money laundering and terrorist financing risk within all their business relationships.
Risk assessments being conducted by a firm must take into account multiple factors such as who are their customers, the countries that they operate in, geographic region, the products and services that they offer, delivery channels and transactions offered. This has to be documented and firms must keep written records up to date with all the steps taken.
As we have determined, both Supervisory authorities and relevant persons must undertake risk assessments. Supervisory authorities, of course, have a wider remit than relevant persons, so it is not possible for relevant persons to simply copy and paste the findings of the risk assessment undertaken by the supervisory authorities, in fact such an approach flies in the face of both the letter and spirit of the new regulations. They must however, take into account relevant information made available to them from their supervisory body.
This opens up a very real problem – if both sets of risk assessments were to be completed by June 26th 2017, how are the relevant persons meant to draw upon the work carried out by the supervisory authorities? Whether this issue has been fully considered by authorities is unknown, but it could very well be the case that there are discrepancies between the risk assessments as a result; firms seeking compliance today, may have to change their approach tomorrow when their supervisory body issues more detailed guidance.
For small firms or those that have not undertaken a risk assessment in the past, the process is likely to be quite daunting. The Money Laundering Reporting Officer (MLRO), or Head of Compliance is responsible for ensuring that the process is adhered to, and my advice would be to speak your supervisory authority at the earliest opportunity. They are best placed to advise what information should be taken into account by a firm conducting its own risk assessment.
Next year will see the implementation of the supervisor of supervisors. The Office for Professional Body Anti-Money Laundering Supervision (OPBAS) will seek to standardise the approaches taken by the professional body supervisors. The government had decided that having a multitude of supervisors could result in an inconsistent and often confusing supervisory landscape, streamlining the approach by co-ordinating each of the 25 professional body supervisors under a single supervisory framework is hoped to mitigate such concern. Time will tell.
Risk assessments are likely to be a new experience for many small firms. It is important when carrying out these assessments that senior managers responsible for compliance have the status and experience to be able to push through necessary implementations and ensure that the assessment is carried out to the requisite standard.
In relation to the National Risk Assessment and supervisory risk assessment, enshrining such measures are welcome additions to bolster the UK’s continuing fight against money laundering and terrorist financing. These assessments will give the much needed guidance to firms conducting their own risk assessments; defining what is important and must be implemented. In a similar vein, the creation of OPBAS should introduce standardisation in guidance and enforcement of all money laundering supervisory bodies.
As a product marketing professional, Mike specialises in technologies that deliver business innovation by managing, analysing and presenting information. Mike’s career spans working in Australia, Europe and USA with experience in financial services, telecommunications, energy, pharmaceuticals, electronics and public sector, and vendors including Netezza, Oracle, Vignette, BMC Software, and IBM.
Encompass’ intelligent process automation conducts live document and data collection, analysis and integration from public and premium sources to bring transparency to complex corporate structures and ultimate beneficial ownership, delivering the most accurate and complete KYC on demand.