• Home
  • News
  • The Money Laundering Regulations 2017: Six weeks to implementation

16 May 2017

The Money Laundering Regulations 2017: Six weeks to implementation


A less prescriptive approach, but a greater compliance burden?

On 26 June 2017 the Money Laundering Regulations 2017 ("the 2017 Regulations") will come into force, transposing into UK law the Fourth Money Laundering Directive ((EU) 2015/849) ("MLD4").

The European Commission introduced MLD4 as, "not a fundamental re-calibration of the anti-money laundering rules, but rather a refinement of the rules". 

The critical, philosophical change in the refined rules – as applied by the Government in the 2017 Regulations (published in draft on 15 March 2017) – is a shift from a prescriptive to a more risk-based approach. In practice, many financial services institutions may find that this change in emphasis generates more, not less, work, in order to achieve compliance.

Some of the most important, practical implications of the 2017 Regulations are summarised below:

Customer Due Diligence

At present, the Money Laundering Regulations 2007 ("the 2007 Regulations") prescribe certain circumstances and clients in respect of which "Simplified Due Diligence" can be applied – for example, when the customer is an EEA financial services firm or listed company.

The 2017 Regulations do not allow any equivalent, automatic departure from CDD requirements, based on customer type alone. Instead, firms will be able to "adjust the extent" of CDD measures where a business relationship / transaction is determined to present a lower risk of money laundering. In making individual determinations as to risk, firms will have to take account of their risk assessment (on which, see below) and the customer, product and geographical factors set out in Regulation 36 of the 2017 Regulations.

The 2017 Regulations also expand on the 2007 Regulations by requiring the application of Enhanced Due Diligence Measures where:

  • a transaction of business relationship involves "a person established in a high-risk third country" (to be defined by the European Commission); or 
  • the customer is a Politically Exposed Person ("PEP") "or a family member or known close associate of a PEP" (Regulation 35, 2017 Regulations).

The Financial Conduct Authority ("FCA") has published draft guidance on the treatment of PEPs under the 2017 Regulations, which seeks to clarify who should be considered a PEP, a family member of a PEP or known close associate, and the steps that firms should take when dealing with higher or lower risk PEPs.

Risk assessment, policies and procedures 

Although the 2007 Regulations refer to the necessity for a money laundering risk assessment (Regulation 20, 2007 Regulations) the emphasis placed by MLD4 / the 2017 Regulations on the risk-based approach elevates the importance of the risk assessment considerably. Regulation 18 of the 2017 Regulations requires firms to consider specific heads of risk – customer, geographic, products, transactions and delivery channels – when carrying out the risk assessment.

Once drafted, the 2017 Regulations envisage the risk assessment as fundamental to day to day conduct of a risk-based approach to compliance:

  • Regulation 19 of the 2017 Regulations clearly envisages that AML policies and procedures will be drafted with reference to the risk assessment;
  • The 2017 Regulations also specifically mandate that "the ways in which a relevant person complies with the requirement to take customer due diligence measures, and the extent of the measures taken must reflect the risk assessment carried out by the relevant person under regulation 18(1)" (Regulation 28(12) 2017 Regulations).

Employee screening and training 

The 2017 Regulations will create an obligation on larger firms to conduct initial and periodic "screening" of "relevant employees" (Regulation 21(1)(b) 2017 Regulations).

A relevant employee is defined as anyone whose work is:

  • relevant to the firm’s compliance with any requirement in the Money Laundering Regulations; or
  • otherwise capable of contributing to the:
    - identification or mitigation of the risks of money laundering/ terrorist financing to which the firm is subject; or
    - prevention or detection of money laundering/ terrorist financing in relation to the firm’s business.

This definition appears to catch not only compliance staff, but also employees in the front office, who introduce business and engage with clients.

Screening of relevant employees means an assessment of:

  • the skills, knowledge and expertise of the individual to carry out their functions effectively; and
  • the conduct and integrity of the individual.

The screening obligation is to be applied by firms only "where appropriate with regard to the size and nature of [their] business". Guidance is awaited on precisely what size and type of firm will be subject to this potentially onerous and ongoing obligation.

As regards training: Regulation 24 of the 2017 Regulations requires that relevant employees are:

  • made aware of the law relating to money laundering and terrorist financing, and to data protection; and
  • regularly given training in how to recognise and deal with transactions and other activities which may be related to money laundering and/or terrorist financing.

Suitable training for front office and AML / compliance staff will need to be arranged and delivered in short order after the entry into force of the 2017 Regulations on 26 June 2017.

Investigation and enforcement

The 2017 Regulations make extensive provision for the investigation of breaches of AML requirements (Part 8) and for civil enforcement action and criminal prosecution where breaches are found to have occurred (Part 9).

New criminal offences are created by the 2017 Regulations. Any individual who recklessly makes a statement which is false or misleading, in the context of a money laundering investigation – for example, in response to information request by a Supervisor, under Regulation 65 – commits an offence, punishable by up to 2 years' imprisonment. 

There is every sign that breaches of the requirements of the 2017 Regulations will be treated with increased severity by Supervisors.

In its recently published Business Plan for 2017/18, the FCA indicated that it would seek to utilise its power to prosecute under the Money Laundering Regulations: 

"Where firms have poor AML controls, we will use our enforcement powers to impose business restrictions to limit the level of risk, provide deterrence messages to industry, or both. 

We will generally use our civil powers, but if failings are particularly serious or repeated we may use our criminal powers to prosecute firms or individuals."

Practical steps

Ahead of the entry into force of the 2017 Regulations on 26 June 2017 there are several practical steps firms can take to prepare:

  • Relevant staff should review the draft 2017 Regulations, the new, draft JMLSG Guidance and the draft FCA Guidance on PEPs
  • Risk assessments should be reviewed with regard to the new requirements in Regulation 18 of the 2017 Regulations; 
  • Policies and procedures should cross-reference the risk assessment document;
  • CDD policies and documentation should be reviewed and amended, to remove automatic application of SDD (for example, in respect of regulated / listed firms) and to take account of the extended requirements for the application of EDD (for example, to domestic PEPs, or persons established in high risk third countries); 
  • Training on the 2017 Regulations, and (as newly required) the law on data protection, should be planned and rolled out to relevant employees; and 
  • Larger firms should prepare for "screening" of relevant employees, by considering how such employees might be assessed.
If you would like further information on the developments referred to in this alert, please contact Tony Woodcock, Alan Ward or your usual Stephenson Harwood contact.


Alan Ward

Alan Ward
Senior associate

T:  +44 20 7809 2295 M:  Email Alan | Vcard Office:  London

Tony Woodcock

Tony Woodcock

T:  +44 20 7809 2349 M:  +44 7825 625 903 Email Tony | Vcard Office:  London