Accountants have had up to a decade to become familiar with anti-moneylaundering (AML) regulations in the UK. Then in June last year they were updated by the 2017 MLR (MLR17). The new regulations do not introduce root and branch reforms – they build on the pre-existing regulatory framework – but they do bring in some potentially significant changes that practitioners need to be aware of.
It isn’t immediately obvious what the most significant changes are, even if you go wading through the new legislation armed with extensive knowledge of what preceded it. Many accountants have, understandably, waited for guidance from recognised supervisory authorities including ICAEW and forums such as the Consultative Committee of Accounting Bodies (CCAB) and (after approval by HM Treasury), both organisations recently published their position. ICAEW guidance highlights the most noteworthy changes introduced by MLR17. “I think that the change practitioners will probably spend most time thinking about is the more prescriptive approach to whole firm risk assessment,” says David Stevens, former integrity and law manager at ICAEW and manager of the CCAB money laundering working party and secretary to its ethics group.
Whole firm risk assessment
Throughout MLR 2007 (MLR07) firms were encour - aged to assess the risks their business faced and the risk that clients would be involved in money laundering or terrorist financing. MLR17 (s.18) requires a written risk assessment and lists factors that must be taken into account, including customers of the firm, countries or geographic areas it oper - ates in, its products and services, transactions and delivery channels. “Many firms will already be doing this and anyone familiar with the old regime will be familiar with the concept,” says Stevens. However, the “emphasis” in MLR07 has become a “legislative must” in MLR17.
Firms can continue to use Chapter 4 of the CCAB guidance (ICAEW Technical Release 04/08) to help with the performance of risk assessments and a link to this can be found in ICAEW’s summary of the 2017 regulations. Some of the language in MLR17 may send shivers down the spines of practitioners. Internal controls s.21c states that firms must establish an “independ - ent audit function” to assess the adequacy and effectiveness of the firm’s AML policies, controls and procedures. This is not as scary as it may initially seem, as sole practi - tioners with no employees are exempt and “audit” and “independent” are not used in the way that is specific to the accountancy profession.
“What the MLR is asking for is a compliance review of AML policies and procedures and it does not have to be done by somebody outside the firm,” explains Stevens. If your firm is already performing a money launder - ing compliance review this should address the new MLR17 requirement for an independent audit function and small firms that already have cold file reviews carried out may want to add AML compliance to these.
Firms must also appoint an indi - vidual who is on the board of directors (or equivalent management body), or a member of senior management, as the officer responsible for compli - ance with MLR17 (s.21a). This person needs sufficient seniority to direct all staff members and the authority to ensure compliance. ICAEW guidance describes this person as a money laun - dering compliance principal (MLCP). Sole practitioners with no employees are exempt. MLR17 (and MLR07 before it) requires firms to appoint a “nominated officer” to receive internal suspicious activity reports and assesses whether a suspicious activity report should be made to the National Crime Agency (NCA). This is a role that’s been widely described (by ICAEW and others) as a money laundering reporting officer (MLRO). Where this person is sufficiently senior they can act as both MLCP and nominated officer.
Knowledge and training
Where appropriate to the size and nature of the business, MLR17 (s.21b) requires firms to assess the skills, knowledge, conduct and integrity of those employees who are involved in identifying, mitigating, preventing or detecting money laundering and terrorist financing. Staff whose work is relevant to MLR compliance must be screened before and during appointments. “I think this will probably take place as part of normal recruitment and appraisal processes,” says Stevens. MLR17 also requires firms to regularly train their staff in how to recognise and deal with transac - tions and other activities which may be related to money laundering or terrorist financing.
“ICAEW firms are already required to have training processes in place and this is a good opportunity to review these processes and the documentation attached to them,” he adds. It’s worth noting that as well as having sufficient seniority and authority to direct staff and ensure compliance with the UK’s AML regime, the individual who is appointed as MLCP must have an appropriate understanding of the business, its service lines and its clients. They must also have the time, resources and the capacity to fulfil their role, which will demand knowledge of MLR17 and the firm’s group-wide AML policies, controls and procedures.
Policies, controls and procedures
MLR07 required firms to have policies, controls and procedures to prevent activities related to money laundering and terrorist financing and to meet data protection requirements. MLR 2017 (s.19 and s.20) requires these to be documented and approved by senior management. It also introduces a new requirement for firms with overseas subsidiaries and branches to establish group wide policies and procedures that comply with UK requirements.
Client due diligence
MLR17 retains the core requirement that you must perform client due diligence before you establish a business relationship and when you identify any factors relevant to your risk assessment that have changed. However, it also makes some minor changes around simplified due diligence (SDD) (s.37) and some much more significant changes around enhanced due diligence (EDD) (s.33). MLR17 includes a list of specific situations where EDD must be applied and a list of risk factors that might indicate that there is a high-risk of money laundering or terrorist financing, for consideration.
If your firm’s risk assessment identifies the need for EDD, MLR17 also specifies the minimum response required and suggests some additional measures that may also be performed as part of EDD. There are also some changes in MLR17 around reliance on third parties (s.39), if your firm places reliance on the CDD of a third party, or if a third party places reliance on your CDD. If you are relying on a third party, you must obtain all relevant information. You must also enter into a written arrangement that confirms that the firm being relied on will provide the relevant documentation immediately on request.
Evolution not revolution
Overall, many firms will find the transition from MLR07 to MLR17 to be evolutionary rather than revolution - ary. The new regulations acknowledge that the nature of risk assessment will depend on the size and nature of your firm (hence the exemptions for sole practitioners). Nonetheless, ICAEW’s guidance notes the importance of properly identifying and assessing the risk of money laundering or terror - ist financing and ensuring that your assessments are documented. During 2018, ICAEW may perform a themed review of firm-wide AML risk assessments and may ask a sample of firms to submit their risk assess - ments for this. “ICAEW rewrote its guidance from the ground up to make it more practical and user friendly,” says Stevens. There may still be areas that firms find difficult, and the results of the review will enable ICAEW to provide feedback and more guidance where this is needed.