The money laundering regulations 2007: civil and criminal sanctions for non-compliance with customer due diligence
An overview of the Regulations, including the criminal and civil powers designed to combat money laundering and terrorist financing.
The Money Laundering Regulations 2007 (“the Regulations”) impose duties upon institutions, firms and individuals in respect of customer due diligence (“CDD”) and the Financial Conduct Authority (“the Authority”) has powers at its disposal under the Regulations, which are also used by other government organisations, to sanction those who fail to comply with their requirements.
This overview looks at some of the CDD requirements placed upon firms, as well as the factors the Authority will consider when deciding whether to impose a penalty in the event of non-compliance.
The Regulations are the United Kingdom’s implementation of Directive 2005/60/EC on the Prevention of the use of the Financial System for the purpose of Money Laundering and Terrorist Financing.
In recent years, the Authority has shown a willingness to take individual action against the Money Laundering Reporting Officer (“MLRO”) as well as taking action against the firm. This will hopefully not act as a deterrent to those who wish to take on such a demanding role, but it does highlight the expectation that individuals in these positions must be conversant with their duties.
Regulation 45 provides that non-compliance with the Regulations is an either-way offence. When tried on indictment, an offence under Regulation 45 can attract a custodial sentence of up to two years as well as a fine.
There is a statutory defence available to such a charge if the relevant person took all reasonable steps and exercised all due diligence to avoid the offence being committed. In assessing whether there has been a failure, the court must take into account the relevant guidance in place at the time.
The Regulations provide for both individual and corporate liability as Regulation 47 provides that if a body corporate is shown to have committed an offence under Regulation 45 with the consent, connivance or neglect of an officer of the body corporate, the officer and the body corporate are both guilty.
Under Regulation 42(1), the Authority is empowered to impose civil penalties upon those who breach the Regulations.
The Authority is not the only body that has the ability to use Regulation 42 to impose a civil penalty, as the Office of Fair Trading has its own guidance on this area and the Regulations have also been utilised by HMRC.
In mirroring the statutory defence available to a criminal charge, the Authority must not impose a civil penalty where there are reasonable grounds for it to be satisfied that the person took all reasonable steps and exercised all due diligence to ensure the requirements of the Regulations would be met.
In deciding whether to impose a civil penalty, the Authority will consider any relevant guidance issued by a supervisory authority. The prime example in this context is the Joint Money Laundering Steering Group Guidance (“JMLSG”).
As well as considering the guidance in relation to the activities being provided by the firm or individual, it must first be proven that, as a matter of law, the services being provided are within the ambit of activities covered by the guidance in question: see Thames Valley Payroll Ltd v Revenue and Customs Commissioners  UKFTT 950 TC in relation to accounting and bookkeeping activities.
“All Reasonable Steps”
In terms of what will amount to “all reasonable steps,” the dicta in The Clean Car Co Ltd v Customs and Excise Commissioners  VATTR 234 concerning what will amount to a “reasonable excuse” was applied by analogy in Houghton v The Commissioners for HMRC  UKFTT 716 (TC) to whether a person had taken “all reasonable steps.” The test considered by the court was:
“[whether a taxpayer has a reasonable excuse] is an objective test in this sense. One must ask oneself: was what the taxpayer did a reasonable thing for a responsible trader conscious of and intending to comply with his obligations regarding tax, but having the experience and other relevant attributes of the taxpayer and placed in the situation that the taxpayer found himself at the relevant time, a reasonable thing to do?”
When Will The Authority Take Action?
Then considering whether to take action, the Authority will have regard to all the circumstances and DEPP 6 lists a number of non-exhaustive factors, which are divided into the following categories:
The nature, seriousness and impact of the suspected breach
The conduct of the person after the breach
The previous disciplinary record and compliance history of the person
FCA guidance and other published materials
Action taken by the FSA or FCA in previous similar cases.
Action taken by other domestic or international regulatory authorities
In relation to breaches of the Authority’s rules on money laundering systems and controls, DEPP 6 specifically states that the Authority will take account of whether the firm has followed the guidance from the JMLSG.
Overview Of The Requirments Within The Regulations
Who Is Subject To The Regulations?
Subject to the exclusions with in Regulation 4, Regulation 3 identifies the persons who are subject to the Regulations.
Regulation 3 provides that these apply to financial institutions, auditors, insolvency practitioners, external accountants, tax advisors, independent legal professionals, trust or company service providers, estate agents, high value dealers and casinos.
In relation to the application to “high value” traders, the Tribunal has previously expressed concern over aggregating linked transactions for the purpose of assessing “culpable turnover,” which is the test HMRC was applying: see Thompsons Discount Electrical Ltd v The Commissioners for Her Majesty’s Revenue and Customs  UKFTT 00263 (TC).
Customer Due Diligence Measures
Regulation 5 provides that the customer’s identity should be verified by documents, data or information from a reliable and independent source.
When there is a “beneficial owner” (as defined by Regulation 6) who is not the customer, adequate measures should be taken on a “risk sensitive basis” to verify their identity and to understand the nature of the relationship with that person. The relevant person should also make sure they obtain information on the purpose and intended nature of the business relationship with the customer.
When Must Customer Due Diligence Measures Be Applied?
Regulation 7(1) provides that the relevant person must apply CDD when:
Establishing a new business relationship;
Carrying out an occasional transaction;
It suspects money laundering or terrorist financing; or
It doubts the veracity or adequacy of documents, data or information previously obtained for the purposes of identification or verification.
In addition to these mandatory scenarios provided for by Regulation 7, Regulation 7(2) states that the relevant person must also apply CDD at other appropriate times to existing customers on a “risk-sensitive” basis.
The automatic exemptions from conducting CDD provided for by Regulation 13, which allowed for “Simplified due diligence” was removed by the Fourth EU Anti-Money Laundering Directive (EU 2015/849) (“Fourth Directive”), which is due to be transposed in June 2017. Instead of being automatic, the circumstances described in Regulation 13 may be taken into account in the future as part of a justification for measures taken, which is in-keeping with the added emphasis the Fourth Directive places on taking a risk-based approach.
Regulation 8 makes clear that the relevant person’s CDD obligations are not restricted to the start of the relationship, in accordance with Regulation 7(3).
If a relevant person is unable to satisfy the CDD requirements imposed by the Regulations, he must not carry out the transaction and must terminate the existing relationship. In addition to this, the relevant person should consider whether he is required to make a disclosure by Part 7 of POCA 2002 or Part 3 of the Terrorism Act 2000.
Section 330 of POCA 2002 makes it an offence for a person in the regulated sector not to make a disclosure as soon as reasonably practicable if he knows or suspects or has reasonable grounds for knowing or suspecting that another is involved in money laundering and that information came to him in the course of his regulated business. Sections 331 and 332 of POCA 2002 govern nominated officers
Section 19 of the Terrorism Act 2000 governs the general duty of disclosure (outside the regulated sector) where information is acquired in the course of a person’s trade, profession, business or employment and section 21A criminalises a failure to disclose in the regulated sector in similar terms to section 330 of POCA 2002.
Enhanced Customer Due Diligence & Ongoing Monitoring
Regulation 14 prescribes that enhanced customer due diligence (“EDD”) should be conducted on a risk-sensitive basis in certain situations.
The specific examples where a relevant person must apply EDD are contained within Regulation 14(2) to (4). These can be summarised as:
Where the customer has not been physically present for identification purposes;
When the relevant person is a credit institution and the relationship being entered is a correspondent banking relationship with a respondent from a non-EEA state; or
When the relationship is with a politically exposed person (“PEP”), as defined by Regulation 14(5).
Once again, in addition to these mandatory situations, the firm must apply EDD on a risk-sensitive basis in any other situation that, by its nature, can present a higher risk of money laundering or terrorist financing.
If the relevant person is a credit or financial institution, Regulation 15 provides that it must ensure that any branches or subsidiaries in non-EEA states apply measures at least equivalent to the requirements of the Regulations and Regulation 16 prohibits a credit institution from entering into a correspondent banking relationship with a shell bank.
The changes brought about by the Fourth Directive dictate that EDD will need to be performed when dealing with persons or entities from high risk countries (an initial list was published in September 2016 of these countries).
The Fourth Directive also makes changes to dealing with PEPs. The Fourth Directive requires EDD in respect of domestic and foreign PEPs and provides definitions of “persons known to be close associates” and “family members.” Relevant persons should also have procedures in place for identifying PEPs and considering their continuing risk for a 12-month period after they have lost their PEP status.
Outsourcing & Record-keeping
Regulation 17 deals with the relevant person relying on others to conduct his CDD.
Regulation 17 provides that the relevant person may rely upon another but only if the other person is one of those listed or he has reasonable grounds to believe is listed and the other person consents. Notwithstanding this ability to delegate or outsource, the relevant person still remains liable for any failure to apply CDD measures.
The persons listed are: a credit or financial institution which is an authorised person; an auditor, insolvency practitioner, external accountant, tax advisor or independent legal professional who is supervised by a body listed in Part 1 of Schedule 3 (e.g. ACCA); a listed person in a non-EEA state who satisfies the registration and supervision requirements
The other person relied upon also has to keep records for a period of five years. The relevant person’s duties to oversee this do not apply to situations where he has used an outsourcing service provider or agent.
Regulation 19 provides that the evidence of the CDD measures must be kept for five years. The Regulation specifies when this begins to run but it is generally from the date of the transaction or from the end of the business relationship.
Regulation 20 imposes a duty upon the relevant person to establish and maintain appropriate and risk-sensitive policies relating to its CDD and ongoing monitoring, its reporting obligations, record keeping, internal controls, risk assessment and management, and the monitoring and management of its policies.
Regulation 21 provides that the relevant person must take appropriate measures so that all of his relevant employees are aware of their legal responsibilities and how to recognise money laundering and terrorist financing. Therefore, the relevant person has training responsibilities from both a legal and practical perspective.
Whilst the Regulations have been in force for some time, given the flexibility they afford a regulatory body in terms of any enforcement action, whether criminal or civil, they are an attractive mechanism for attempting to combat financial crime and terrorist financing.
The obligations are understandably rigorous in respect of what are perceived to be higher risk transactions and the willingness to take action against firms and relevant individuals underlines the importance of firms appointing suitable people to these roles and for those individuals to keep abreast of the latest guidance in their area.
The changes due to take place in 2017, in light of the transposition of the Fourth Directive, are a key example of the need to update training and procedures in respect of Anti-Money Laundering systems and controls.