COVID-19 has changed much, but not the UK government’s determination to follow through on Brexit—it still insists the transition period must not outlast this year. When it comes to money laundering regulations, though, we have already seen big changes that many might have missed.
All the recent attention has been on the transposition of the fifth Money Laundering Directive (MLD) into UK law, which came into force on January 10. Another amendment to the Money Laundering Regulations 2017 (MLR 2017) that took effect at the end of the same month received much less attention.
That’s perhaps because, in one sense, the Money Laundering and Transfer of Funds (Information) (Amendment) (EU Exit) Regulations 2019, the Brexit amendment, is an exercise in tidying up. It merely helps maintain existing anti-money laundering (AML) protections while removing references to European institutions like the Commission and EU directives.
It does, however, make one significant change. The definition of a “third country,” referred to several times within MLR 2017 (as amended), is no longer a country outside the European Economic Area (EEA), but any country outside the UK.
It’s a seemingly small change that could have profound consequences for some regulated firms.
A Fresh Look at Jurisdictions
The change in definition has two related impacts. First, the requirements to conduct enhanced due diligence on those in “third countries” now applies to anyone outside the UK. Second, it removes assumptions regarding the “equivalence”1 of EEA member states’ AML regulations. To continue to comply with MLR 2017, as amended, firms may need to conduct jurisdiction risk assessments for firms and individuals on the continent.
The impact that this could have is perhaps most evident when it comes to correspondent banking. Under regulation 34 of MLR 2017, firms must apply enhanced due diligence (looking at ownership, structure, directors and so on) and some additional measures for relationships with respondent banks in a third country. They include determining the reputation of the respondent, assessing the quality of supervision to which they are subject and obtaining senior management approval to establish the relationship.
Expanding those checks to relationships within the EEA will create significant additional work—particularly bearing in mind the observation concerning equivalence of the AML regulations. Firms cannot merely rely on the fact that all member states have implemented the fourth and fifth Directives. They should assess how each country has implemented the Directives and determine if it is “similar” to the UK’s standards. Given the EU Commission’s criticism of various countries for failing to implement the fourth MLD (4MLD) in time or within the spirit of the regulation, that’s not a foregone conclusion.
There are other changes, too. For instance, under regulation 20 of MLR 2017, as amended, British firms with subsidiaries or branches in a third country with AML regulations “not as strict” as the UK’s must ensure they apply UK equivalent measures. This provision now includes subsidiaries or branches within and outside the EEA. There are even more changes. For instance, the 100 pages long Guidance on Risk Factors issued by the European Supervisory Authority no longer forms part of the amended MLR 2017. This may mean that the onus of keeping up to date, robust and consistent standards for business and customer risk assessment can fall on the Joint Money Laundering Steering Group (JMLSG) or the Financial Conduct Authority (FCA). The alternative is a risk of firms relaxing their criteria on when to apply enhanced due diligence.
The changes will not necessarily mean higher standards of due diligence in every case.
A provision of MLR 2017 (as amended), for example, requires firms to apply enhanced due diligence when dealing with customers in high-risk countries identified by the European Commission under Article 9.2 of 4MLD, except where the customer is a branch or majority-owned subsidiary of an EEA-regulated firm. The Brexit amendment to MLR 2017 retains the provision of article 9.2 but replaces the reference to the EEA with a third country with regulation equivalent to 4MLD. With this, the scope of the exception now extends to branches and subsidiaries in jurisdictions outside the EEA.
A similar effect is seen in customer risk assessments under MLR 2017 (as amended), and the factors that firms must consider when deciding whether to apply enhanced or standard due diligence. Following the Brexit amendment, firms assessing credit or financial institutions may consider the fact that the customer is based in a jurisdiction that implemented the 4MLD in its national law as a factor decreasing risk. Previously, that applied only to those customers in countries directly transposing 4MLD.
These are the exceptions, however. In general, the requirement to review relationships in light of the amendments and the need to assess robustness of the AML legislation across EEA states will likely increase workloads significantly.
A Way Out?
What benefit that increased workload will bring is open to question. After all, the jurisdictional risk of EEA states has not changed since January. Neither have many of the firms that are now required to conduct enhanced due diligence.
It may be that the government steps in. It could, for instance, in its next iteration of its National Risk Assessment—expected from the Treasury mid-year—acknowledge correspondent banking remains a high-risk sector but make an exception within the EEA. The FCA (up to now curiously quiet on the Brexit changes) also has the power to publish sector views on risk that regulated firms must consider. Again, it could use this to limit the required due diligence for transactions involving EU firms. So far, though, there’s no sign of either. Perhaps, given that some EEA banks have been central to the recent big money laundering scandals, the apparent hesitancy to step in is not entirely misplaced.
In any case, in the absence of such relief, firms should carefully review the changes the amendment has brought in and begin their review of due diligence for relationships and transactions across the EEA.
This article was first published in Compliance Matters on May 12, 2020.
This article is part of Duff & Phelps’ Global Regulatory Outlook 2020 series.
1 Previously there was an assumption that all EEA member states that implemented EU directives have equivalent AML legislation even though some member states have only implemented the bare minimum. As such, in practice some member states were never “equivalent” to the UK, which took a more stringent approach.