Legal development

Demystifying the money laundering amendments

Insight Hero Image

    1. Introduction

    On 21 July 2022, HM Treasury published the Money Laundering and Terrorist Financing (Amendment) (No 2) Regulations 2022 (SI 2022/860) (SI), which makes a variety of amendments to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs).

    Industry has predominantly focussed on the extension of the travel rules to cryptoassets and new change in control rules for cryptoasset exchanges and custodian wallet providers which are registered with the FCA (together, FCA registered cryptoasset business). However, certain amendments also impact existing obliged entities, In particular:

    1. Obliged entities will be required to mitigate proliferation financing (through policies, procedures, controls, and business risk assessments). This is in addition to the existing obligation to mitigate money laundering and counter-terrorist financing;
    2. Obliged entities will be required to obtain proof of registration for (certain) overseas entities on the newly created register of overseas entities (ROE), which records beneficial ownership of UK property and report any "material" discrepancies. This is in addition to the existing obligation to obtain proof of registration on the register of persons of significant control (PSC Register) and proof of registration on the Trust Registration Service (TRS) which also required the reporting of material discrepancies. In addition, the obligation to report material discrepancies will apply on an ongoing basis, previously it only applied before establishing a relationship;
    3. Account Information Service Providers (AISPs) have been de-scoped from the MLRs but Payment Initiation Service Providers (PISPs) remain in scope (we do not detail this further);
    4. Art market participants who sell their own works whether as an individual or through a company or partnership have been de-scoped from the MLRs (we do not detail this further);
    5. Trust or Company Service Providers (TCSPs) will be treated as entering into a business relationship which triggers the requirement to apply due diligence when it seeks to form any business arrangement that must be registered with Companies House including LPs, irrespective of whether the TCSP expects to have a continuing relationship or not;
    6. AML supervisors (e.g. the FCA and HMRC) have been given a new right to access suspicious activity reports submitted to the NCA via a new dedicated 'gateway', provided access is necessary to fulfil supervisory functions (we do not detail this further).

    We further detail the changes related to cryptoassets, proliferation financing, obtaining proof of registration and reporting material discrepancies below.

    2.  Change in control requirements for cryptoassets exchanges and custodian wallet providers

    The SI brings elements of the change in control regime under the Financial Markets and Markets Act 2000 ("FSMA") within scope of the MLRs to include cryptoasset exchange providers and custodian wallet providers. The FCA change in control webpage has also been updated to reflect these new obligations and includes the new notification forms for proposed controllers of FCA registered cryptoasset businesses.

    Going forward, any person acquiring 'control' of an FCA registered cryptoasset firm is required to receive prior approval from the FCA. Acquiring control of an FCA registered cryptoasset firm without prior authorisation or as otherwise permitted under the FCA Rules constitutes a criminal offence under FSMA. Reducing or ceasing to have control are not subject to the regime.

    Controllers are persons holding 25% or more of the shares or voting power in an FCA registered cryptoasset business or any of its parent undertakings, and persons otherwise able to exercise significant influence over the management of the business, whether on their own or acting in concert. The definition of a 'controller' of an FCA registered cryptoasset business also includes persons who are beneficial owners of such businesses as defined in Regulations 5 and 6 of the MLRs.

    The new Section 178 Controller Forms for FCA registered cryptoasset businesses are similar to the existing forms for other types of FCA regulated firms, but include amended 'fitness and propriety' questions to assist the FCA with assessing whether the proposed controllers are 'fit and proper persons' under Regulation 58A of the MLRs.

    The FCA has 60 working days to assess a complete change in control notification (i.e. after the FCA notifies and receives outstanding information). The period can be extended by up to 30 working days.

    These obligations came into force on 11 August 2022, 21 days after the SI passed.

    3.  Extension of the "travel rule" to cryptoassets

    The SI inserts a new Part 7A into the MLRs which implements Recommendation 16 of the FATF to extend the 'travel rule' to cryptoasset transfers. The travel rule is an existing requirement for financial institutions to share identifying information about the sender and recipient (payer and payee) of a wire transfer, in the payment message.

    FCA registered cryptoasset businesses which provide services to the originator or beneficiary are caught (i.e. cryptoasset exchange providers and custodian wallet providers). Intermediaries that are also FCA registered cryptoasset businesses are also caught (e.g. those providing services on behalf of either the beneficiary's or originator's cryptoasset business but not software providers or cloud service providers). HM Treasury gave the below example in its Consultation Response:

    "if Firm A offers custodian wallet services via its website, on which customers can manage their holdings, but has a sub-custody contract with Firm B, which makes and receives cryptoasset transfers and manages cryptographic keys on its behalf, the Travel Rule will apply to both firms, ensuring that Firm A must collect and then supply Firm B with the required beneficiary and originator information, and Firm B must ensure that the information is received and passed on alongside the transfer."

    Different cryptoasset transfers attract different (minimum) information sets (see below) which must be shared alongside the transfer. The information should not be shared "on chain" but via a non-publicly-accessible system.

     INFORMATION ON THE ORIGINATORINFORMATION ON THE BENEFICIARYOBLIGED ENTITY
    UK deomestic transfers

    Account number or unique transaction identifier.

    This is subject to a requirement to provide full set of information (see top row) withing three (3) working days, on the request of the beneficiary's cryptoasset business.

    Originator's cryptoasset business to send information with transfer
    Cross-border transfers above €1000*Name and one of: customer identification number, address, birth certificate number / passport number / national identity card number, date and place of birthName and account number or unique transaction identifier in lieu of account numberOriginator's cryptoasset business to send information with transfer
    Un-hosted wallet transfers above €1000* with elevated risk of illicit financeAs aboveAs aboveCryptoasset business to request information which it does not already hold from its customer
    Cross-border transfers below €1000*Name and account number or unique transaction identifier in lieu of account numberOriginator's cryptoasset business to send information with transfer
    Un-hosted wallet transfers below €1000* with elevated risk of illicit finance As aboveCryptoasset business to request information which it does not already hold from its customer

    *The de minimis threshold is EUR 1000 (this is less than GBP 1,000 at current exchange rates). HMT will consider whether to replace this with a GBP value in future.

    In determining whether the de minimis threshold is met, cryptoasset transfers which appear to be linked should be aggregated (e.g. multiple transfers from a single originator that appear to be linked), but cryptoasset transfers should be treated separately to fiat currency transfers.

    Cryptoasset businesses have a 12-month implementation period with the travel rule coming into force on 1 September 2023.

    Proliferation financing

    Regulation 6 of the SI implements Recommendation 6 of the FATF and requires in-scope entities to identify, assess and take effective action to mitigate proliferation financing risks, in addition to combatting money laundering and terrorist financing.

    Proliferation financing refers to providing funds or financial services for use in the manufacture, acquisition, development, transport, or other related activity or use of weapons (whether chemical, biological, nuclear or radiological).

    In-scope entities will be required to:

    • conduct a risk assessment to identify and assess the risks of proliferation financing associated with the in-scope entity's business, taking into account the entity's: (a) customers; (b) countries or geographic areas in which it operates; (c) products or services; (c) transactions; and (d) delivery channels, and have it recorded in writing. The obligation is near-identical to the existing obligation to perform a money laundering / terrorist financing risk assessment, and therefore the assessments can be combined in the same document, or be carried out separately;
    • implement and maintain proliferation financing policies, procedures and controls to mitigate and manage the risks of proliferation financing. These should be revised and updated regularly, approved by senior management and communicated to staff. The obligations are near-identical to the existing obligations in relation to money laundering / terrorist financing; and
    • implement staff training in relation to proliferation financing in addition to money laundering and terrorist financing training.

    Curiously, proliferation financing considerations have not been explicitly extended to customer due diligence, although obliged entities need to have in place measures to identify unusually large or complex transactions, transactions which serve no apparent purpose and other relevant activity which may be linked to proliferation (i.e. a monitoring obligation). Notwithstanding this omission, it would not be surprising if obliged entities voluntarily treat business relationships with a connection to the chemical, biological, nuclear or radiological sector as higher risk as part of their approach to customer due diligence.

    Obligations in relation to proliferation financing will come into force on 1 September 2022.

    Checking the register of overseas entities and reporting discrepancies 

    The SI extends the scope of the discrepancy reporting regime.

    Under the existing rules, obliged entities must obtain proof of registration of UK companies, UK LLPs, Scottish LPs and Scottish QPs on the PSC Register and report material discrepancies, as well as obtain proof of registration of UK trusts and non-UK trusts with UK assets on the TRS and report material discrepancies.

    Going forward, obliged entities will also need to obtain proof of registration of overseas persons with "relevant interest" in UK land on the ROE. The ROE was introduced on 1 August 2022 under the Economic Crime (Transparency and Enforcement) Act. Overseas entity with a freehold over UK land, or a more than seven (7) year lease on UK land are required to register on the ROE and provide details of persons of significant control including beneficial owners who hold more than 25% of the shares or voting rights. For more detail on the ROE please see our briefing here.

    Further, the obligation to report discrepancies was historically a point-in-time obligation which applied when a firm onboarded a customer. The SI amends the MLRs and requires obliged entities to report material discrepancies which are identified during the business relationship as a result of ongoing customer due diligence such as KYC refreshes.

    Material discrepancies include incorrect names, date of birth, nationality, correspondence address, and missing or incorrect entries for a person of significant control or beneficial owner.

    Due to industry views that the above obligations would function more effectively once the broad Companies House reform has taken place, a grace period has been added and these obligations come into force on 1 April 2023.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.