Demystifying the money laundering amendments
18 August 2022
On 21 July 2022, HM Treasury published the Money Laundering and Terrorist Financing (Amendment) (No 2) Regulations 2022 (SI 2022/860) (SI), which makes a variety of amendments to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs).
Industry has predominantly focussed on the extension of the travel rules to cryptoassets and new change in control rules for cryptoasset exchanges and custodian wallet providers which are registered with the FCA (together, FCA registered cryptoasset business). However, certain amendments also impact existing obliged entities, In particular:
We further detail the changes related to cryptoassets, proliferation financing, obtaining proof of registration and reporting material discrepancies below.
The SI brings elements of the change in control regime under the Financial Markets and Markets Act 2000 ("FSMA") within scope of the MLRs to include cryptoasset exchange providers and custodian wallet providers. The FCA change in control webpage has also been updated to reflect these new obligations and includes the new notification forms for proposed controllers of FCA registered cryptoasset businesses.
Going forward, any person acquiring 'control' of an FCA registered cryptoasset firm is required to receive prior approval from the FCA. Acquiring control of an FCA registered cryptoasset firm without prior authorisation or as otherwise permitted under the FCA Rules constitutes a criminal offence under FSMA. Reducing or ceasing to have control are not subject to the regime.
Controllers are persons holding 25% or more of the shares or voting power in an FCA registered cryptoasset business or any of its parent undertakings, and persons otherwise able to exercise significant influence over the management of the business, whether on their own or acting in concert. The definition of a 'controller' of an FCA registered cryptoasset business also includes persons who are beneficial owners of such businesses as defined in Regulations 5 and 6 of the MLRs.
The new Section 178 Controller Forms for FCA registered cryptoasset businesses are similar to the existing forms for other types of FCA regulated firms, but include amended 'fitness and propriety' questions to assist the FCA with assessing whether the proposed controllers are 'fit and proper persons' under Regulation 58A of the MLRs.
The FCA has 60 working days to assess a complete change in control notification (i.e. after the FCA notifies and receives outstanding information). The period can be extended by up to 30 working days.
These obligations came into force on 11 August 2022, 21 days after the SI passed.
The SI inserts a new Part 7A into the MLRs which implements Recommendation 16 of the FATF to extend the 'travel rule' to cryptoasset transfers. The travel rule is an existing requirement for financial institutions to share identifying information about the sender and recipient (payer and payee) of a wire transfer, in the payment message.
FCA registered cryptoasset businesses which provide services to the originator or beneficiary are caught (i.e. cryptoasset exchange providers and custodian wallet providers). Intermediaries that are also FCA registered cryptoasset businesses are also caught (e.g. those providing services on behalf of either the beneficiary's or originator's cryptoasset business but not software providers or cloud service providers). HM Treasury gave the below example in its Consultation Response:
"if Firm A offers custodian wallet services via its website, on which customers can manage their holdings, but has a sub-custody contract with Firm B, which makes and receives cryptoasset transfers and manages cryptographic keys on its behalf, the Travel Rule will apply to both firms, ensuring that Firm A must collect and then supply Firm B with the required beneficiary and originator information, and Firm B must ensure that the information is received and passed on alongside the transfer."
Different cryptoasset transfers attract different (minimum) information sets (see below) which must be shared alongside the transfer. The information should not be shared "on chain" but via a non-publicly-accessible system.
INFORMATION ON THE ORIGINATOR | INFORMATION ON THE BENEFICIARY | OBLIGED ENTITY | |
---|---|---|---|
UK deomestic transfers | Account number or unique transaction identifier. This is subject to a requirement to provide full set of information (see top row) withing three (3) working days, on the request of the beneficiary's cryptoasset business. | Originator's cryptoasset business to send information with transfer | |
Cross-border transfers above €1000* | Name and one of: customer identification number, address, birth certificate number / passport number / national identity card number, date and place of birth | Name and account number or unique transaction identifier in lieu of account number | Originator's cryptoasset business to send information with transfer |
Un-hosted wallet transfers above €1000* with elevated risk of illicit finance | As above | As above | Cryptoasset business to request information which it does not already hold from its customer |
Cross-border transfers below €1000* | Name and account number or unique transaction identifier in lieu of account number | Originator's cryptoasset business to send information with transfer | |
Un-hosted wallet transfers below €1000* with elevated risk of illicit finance | As above | Cryptoasset business to request information which it does not already hold from its customer | |
*The de minimis threshold is EUR 1000 (this is less than GBP 1,000 at current exchange rates). HMT will consider whether to replace this with a GBP value in future. In determining whether the de minimis threshold is met, cryptoasset transfers which appear to be linked should be aggregated (e.g. multiple transfers from a single originator that appear to be linked), but cryptoasset transfers should be treated separately to fiat currency transfers. |
Cryptoasset businesses have a 12-month implementation period with the travel rule coming into force on 1 September 2023.
Regulation 6 of the SI implements Recommendation 6 of the FATF and requires in-scope entities to identify, assess and take effective action to mitigate proliferation financing risks, in addition to combatting money laundering and terrorist financing.
Proliferation financing refers to providing funds or financial services for use in the manufacture, acquisition, development, transport, or other related activity or use of weapons (whether chemical, biological, nuclear or radiological).
In-scope entities will be required to:
Curiously, proliferation financing considerations have not been explicitly extended to customer due diligence, although obliged entities need to have in place measures to identify unusually large or complex transactions, transactions which serve no apparent purpose and other relevant activity which may be linked to proliferation (i.e. a monitoring obligation). Notwithstanding this omission, it would not be surprising if obliged entities voluntarily treat business relationships with a connection to the chemical, biological, nuclear or radiological sector as higher risk as part of their approach to customer due diligence.
Obligations in relation to proliferation financing will come into force on 1 September 2022.
The SI extends the scope of the discrepancy reporting regime.
Under the existing rules, obliged entities must obtain proof of registration of UK companies, UK LLPs, Scottish LPs and Scottish QPs on the PSC Register and report material discrepancies, as well as obtain proof of registration of UK trusts and non-UK trusts with UK assets on the TRS and report material discrepancies.
Going forward, obliged entities will also need to obtain proof of registration of overseas persons with "relevant interest" in UK land on the ROE. The ROE was introduced on 1 August 2022 under the Economic Crime (Transparency and Enforcement) Act. Overseas entity with a freehold over UK land, or a more than seven (7) year lease on UK land are required to register on the ROE and provide details of persons of significant control including beneficial owners who hold more than 25% of the shares or voting rights. For more detail on the ROE please see our briefing here.
Further, the obligation to report discrepancies was historically a point-in-time obligation which applied when a firm onboarded a customer. The SI amends the MLRs and requires obliged entities to report material discrepancies which are identified during the business relationship as a result of ongoing customer due diligence such as KYC refreshes.
Material discrepancies include incorrect names, date of birth, nationality, correspondence address, and missing or incorrect entries for a person of significant control or beneficial owner.
Due to industry views that the above obligations would function more effectively once the broad Companies House reform has taken place, a grace period has been added and these obligations come into force on 1 April 2023.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.