In the latest of our legal guide series, BCL partner John Binns explores the sorts of
considerations that regulated-sector businesses should have when
Regulations and guidance
The money laundering regulations (‘MLRs’) provide a
useful structure for the sorts of considerations that
regulated-sector businesses should have when establishing
themselves and throughout their commercial life. Starting with the
basics of defining what they do and whether the regulations are
engaged, they must then undertake a risk assessment (considering
the nature of their business and their client base), and design
policies, procedures and training with this in mind. They must
register and accept the jurisdiction of their supervising agency,
including the prospect of enforcement action.
Lest the prospect of all of that seem too daunting, help is at
hand from the regulations themselves, and the industry that has
grown up around them. The accumulated wisdom of decades of
compliance work, painstakingly supervised, monitored and assessed,
has resulted in a vast ecosystem of guidance documents from
national and international sources.
The MLRs contemplate that relevant businesses will have regard
to such guidance, and this will be considered in the event of
questions about whether and to what extent they have been
compliant. They also require sector-specific guidance to be
produced by each supervisor, which in turn must consider the
learning of the UK national risk assessment.
Policies, controls, and procedures
The challenge for those setting up in the regulated sector,
then, is to identify the guidance documents (and/or their specific
sections) that are most useful to them, and to establish robust
systems to put them into practice. To a large extent the business
can make use of template systems, outsourced services and software
that are suitable for their sector.
It will always be important, however, for those in overall
control to give proper consideration to the specifics of how the
regulations apply to them, and to ensure that it not only appoints
a Money Laundering Reporting Officer (‘MLRO’), but ensures
that they have appropriate expertise, support and resources to
carry out their functions.
Know your customer
While the specifics of the systems to be operated must depend on
the business concerned, it is possible to identify in broad terms
at least the basics of what will be required. When establishing a
new business relationship or considering a one-off transaction, the
regulated-sector business must carry out a Know Your Customer (KYC)
procedure to establish basic identifying information, including
name, address and date of birth for individuals, the ultimate
beneficial owners (UBOs) where appropriate, and an account of the
nature of the customer’s business, their source of wealth (in
general terms), and the source of the specific funds involved.
The process of verifying this information by collecting
certified or other copies of documents (including for example
passports and recent utility bills) is referred to as Customer Due
Diligence (CDD), with any more in-depth process of exploring these
questions being referred to as Enhanced Due Diligence (EDD).
Procedures in practice
Once the systems are in place, the imperative is to ensure they
are enforced appropriately, as well as kept under review and
revised where necessary. The concept of the ‘three lines of
defence’ is vital here: the first line represents the ‘coal
face’ of the business, whose personnel need to be familiar with
its KYC, CDD and EDD systems, and to know when to escalate issues
or seek advice; the second line is the MLRO (and any deputies),
whose job includes assisting the first line where needed; and the
third line is the (in-house or external) audit function, who will
monitor the systems’ operation and recommend changes where
The need for advice
The job of advising a regulated-sector business, then, will
either be in establishing or revising their systems, or in
assisting the MLRO when specific issues arise that are particularly
complex and/or serious. Typically, the questions in the latter
scenario will be about whether a SAR should be submitted, what it
should say, what consent (if any) is required, and how to deal with
the risks of tipping off.
While in many cases the business’ own systems will have led
it, quite properly, to a place where external advice is required,
there will be some scenarios in which the systems themselves are
arguably deficient, necessitating advice from someone other than
whoever designed them in the first place.
In addition, the adviser will need to keep in mind any
additional obligations arising from the business’ particular
sector, including for instance a bank’s duties to and
relationship with the FCA, or a lawyer’s professional standards
and duties to report to a supervisor such as the Solicitors’
Regulation Authority (SRA) or the Bar Standards Board (BSB).
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.