PART 1U.K.Introduction

Citation and commencementU.K.

1.—(1) These Regulations may be cited as the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.

(2) These Regulations come into force on 26th June 2017.

Prescribed regulationsU.K.

2.  These Regulations are prescribed for the purposes of sections 168(4)(b) (appointment of persons to carry out investigations in particular cases) and 402(1)(b) (power of the FCA to institute proceedings for certain other offences) of the Financial Services and Markets Act 2000 M4.

General interpretationU.K.

3.—(1) In these Regulations—

“Annex 1 financial institution” has the meaning given by regulation 55(2);

“appropriate body” means any body which regulates or is representative of any trade, profession, business or employment carried on by a relevant person;

[F1“art market participant” has the meaning given by regulation 14(1)(d);]

“auction platform” has the meaning given by regulation 14(1)(c);

“auditor” (except in regulation 31(4)) has the meaning given by regulation 11(a);

“authorised person” means a person who is authorised for the purposes of FSMA;

“the FCA” means the Financial Conduct Authority;

“beneficial owner”—

“body corporate”—

“bill payment service provider” means an undertaking which provides a payment service enabling the payment of utility and other household bills;

“branch”, except where the context otherwise requires, means a place of business that forms a legally dependent part of the entity in question and conducts directly all or some of the operations inherent in its business;

“business relationship” has the meaning given by regulation 4;

F2...

[F3“the capital requirements regulation” means Regulation (EU) No. 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms;]

“cash” means notes, coins or travellers' cheques, in any currency;

“casino” has the meaning given by regulation 14(1)(b);

“the Commissioners” means the Commissioners for Her Majesty's Revenue and Customs;

“contract of long-term insurance” means any contract falling within Part 2 of Schedule 1 to the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 M5;

“correspondent relationship” has the meaning given by regulation 34(4);

“credit institution” has the meaning given by regulation 10(1);

[F4“cryptoasset exchange provider” has the meaning given by regulation 14A(1);

“custodian wallet provider” has the meaning given by regulation 14A(2);]

“customer due diligence measures” means the measures required by regulation 28, and where relevant, those required by regulations 29 and 33 to 37;

[F5“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);]

“Department for the Economy” means the Department for the Economy in Northern Ireland;

“designated supervisory authority” has the meaning given by regulation 76(8);

“document” means anything in which information of any description is recorded;

“electronic money” has the meaning given by regulation 2(1) of the Electronic Money Regulations 2011 M6;

“electronic money institution” has the meaning given by regulation 2(1) of the Electronic Money Regulations 2011;

“electronic money issuer” has the meaning given in regulation 2(1) of the Electronic Money Regulations 2011;

“eligible Scottish partnership” has the meaning given in regulation 3 of the Scottish Partnerships (Register of People with Significant Control) Regulations 2017 (key terms) M7;

“the emission allowance auctioning regulation” means Commission Regulation (EU) No 1031/2010 of 12th November 2010 on the timing, administration and other aspects of auctioning of greenhouse gas emission allowances pursuant to Directive 2003/87/EC of the European Parliament and of the Council establishing a scheme for greenhouse gas emission allowances trading within the Community M8;

“enactment” includes—

“enhanced customer due diligence measures” means the customer due diligence measures required under regulations 33 to 35;

“estate agent” has the meaning given by regulation 13(1);

F6...

“external accountant” (except in regulation 31(4)) has the meaning given by regulation 11(c);

“financial institution” has the meaning given by regulation 10(2);

“firm” means any entity that, whether or not a legal person, is not an individual and includes a body corporate and a partnership or other unincorporated association;

“fourth money laundering directive” means Directive 2015/849/EU of the European Parliament and of the Council of 20th May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing M9[F7, as amended by Directive 2018/843 of the European Parliament and of the Council of 30th May 2018]M10;

“FSMA” means the Financial Services and Markets Act 2000 M11;

“funds transfer regulation” means Regulation 2015/847/EU of the European Parliament and of the Council of 20th May 2015 on information accompanying transfers of funds M12;

F8...

“group” has the meaning given by section 421 (group) of FSMA M13;

“high value dealer” has the meaning given by regulation 14(1)(a);

“independent legal professional” has the meaning given by regulation 12(1);

“insolvency practitioner” has the meaning given by regulation 11(b);

“law enforcement authority” has the meaning given by regulation 44(10);

[F9“letting agent” has the meaning given by regulation 13(3);]

“local weights and measures authority” has the meaning given by section 69 of the Weights and Measures Act 1985 (local weights and measures authorities) M14;

“manager”, in relation to a firm, means a person who has control, authority or responsibility for managing the business of that firm, and includes a nominated officer;

“markets in financial instruments directive” means Directive 2014/65/EU of the European Parliament and of the Council of 15th May 2014 on markets in financial instruments M15;

[F10“markets in financial instruments regulation” means Regulation (EU) 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments (as that Regulation forms part of domestic law under section 3 of the European Union (Withdrawal) Act 2018);]

“money laundering” has the meaning given by section 340(11) of the Proceeds of Crime Act 2002 M16;

“money service business” means an undertaking which by way of business operates a currency exchange office, transmits money (or any representation of monetary value) by any means or cashes cheques which are made payable to customers;

“the NCA” means the National Crime Agency;

“nominated officer” means a person who is nominated to receive disclosures under Part 3 (terrorist property) of the Terrorism Act 2000 M17 or Part 7 (money laundering) of the Proceeds of Crime Act 2002;

“notice” means a notice in writing;

“occasional transaction” means a transaction which is not carried out as part of a business relationship;

“officer”, except in Part 8 and Schedule 5—

“ongoing monitoring” (except where the context otherwise requires) means at least the measures described in regulation 28(11);

“payment services” has the meaning given by regulation 2(1) of the Payment Services Regulations [F112017];

“payment service provider” has the meaning given in regulation 2(1) of the Payment Services Regulations [F112017];

“politically exposed person” or “PEP” has the meaning given by regulation 35(12);

“the PRA” means the Prudential Regulation Authority;

“PRA-authorised person” has the meaning given by section 2B(5) of FSMA M18;

[F12“proliferation financing” has the meaning given by regulation 16A(9);]

“regulated market”—

“relevant parent undertaking” means a relevant person which is a parent undertaking;

“relevant person” means a person to whom, in accordance with regulation 8, Parts 1 to 6 [F15, 7A] and 8 to 11 of these Regulations apply;

“relevant requirement” has the meaning given by regulation 75;

“self-regulatory organisation” means one of the professional bodies listed in Schedule 1 to these Regulations;

“senior management” means an officer or employee of the relevant person with sufficient knowledge of the relevant person's [F16money laundering, terrorist financing and proliferation financing] risk exposure, and of sufficient authority, to take decisions affecting its risk exposure;

F17...M19

“specified disclosure obligations” means—

“supervisory authority” in relation to—

“supervisory functions” means the functions given to a supervisory authority under these Regulations;

“tax adviser” (except in regulation 31(4)) has the meaning given by regulation 11(d);

“telecommunication, digital and IT payment service provider” has the meaning given by regulation 53;

“terrorist financing” means (except where the context otherwise requires) an act which constitutes an offence under—

“third country” means a state other than [F24the United Kingdom];

“transfer of funds supervisory authority” means the supervisory authority specified for payment service providers in regulation 62;

“trust or company service provider” has the meaning given in regulation 12(2).

[F25“UK auctioning regulations” means the Greenhouse Gas Emissions Trading Scheme Auctioning Regulations 2021;]

[F26“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act);]

[F27“UK regulated market” means a recognised investment exchange within the meaning of section 285(1)(a) of FSMA, which is not an overseas investment exchange within the meaning of section 313(1) of FSMA.]

(2) In these Regulations—

(a)references to an amount in euros includes reference to an equivalent amount in any currency;

(b)the equivalent in sterling (or any other currency) on a particular day of a sum expressed in euros is determined by converting the sum in euros into its equivalent in sterling or that other currency using the London closing exchange rate for the euro and the relevant currency for the previous working day;

(c)references to “real property” include, in relation to Scotland, references to heritable property;

(d)references to business being carried on in the United Kingdom, or a person carrying on business in the United Kingdom, are to be read in accordance with regulation 9;

(e)references to a person having a “qualifying relationship” with a PRA-authorised person, or with an authorised person are to be read in accordance with section 415B(4) of FSMA M23;

(f)“parent undertaking” and “subsidiary undertaking” have the same meaning as in the Companies Acts (see section 1162 of and Schedule 7 to, the Companies Act 2006 (parent and subsidiary undertaking) M24).

Meaning of business relationshipU.K.

4.—(1) For the purpose of these Regulations, “business relationship” means a business, professional or commercial relationship between a relevant person and a customer, which—

(a)arises out of the business of the relevant person, and

(b)is expected by the relevant person, at the time when contact is established, to have an element of duration.

[F28(2) A relationship where the relevant person is asked to provide one or more of the services described in regulation 12(2)(a), (b) or (d) is to be treated as a business relationship for the purpose of these Regulations, whether or not the relationship is otherwise expected to have an element of duration.]

(3) For the purposes of these Regulations, an estate agent is to be treated as entering into a business relationship with a purchaser (as well as with a seller), at the point when the purchaser's offer is accepted by the seller.

Meaning of beneficial owner: bodies corporate or partnershipU.K.

5.—(1) In these Regulations, “beneficial owner”, in relation to a body corporate which is not a company whose securities are listed on a regulated market, means—

(a)any individual who exercises ultimate control over the management of the body corporate;

(b)any individual who ultimately owns or controls (in each case whether directly or indirectly), including through bearer share holdings or by other means, more than 25% of the shares or voting rights in the body corporate; or

(c)an individual who controls the body corporate.

(2) For the purposes of paragraph (1)(c), an individual controls a body corporate if—

(a)the body corporate is a company or a limited liability partnership and that individual satisfies one or more of the conditions set out in Part 1 of Schedule 1A to the Companies Act 2006 (people with significant control over a company) M10; or

(b)the body corporate would be a subsidiary undertaking of the individual (if the individual was an undertaking) under section 1162 (parent and subsidiary undertakings) of the Companies Act 2006 read with Schedule 7 to that Act.

(3) In these Regulations, “beneficial owner”, in relation to a partnership (other than a limited liability partnership), means any individual who—

(a)ultimately is entitled to or controls (in each case whether directly or indirectly) more than 25% share of the capital or profits of the partnership or more than 25% of the voting rights in the partnership;

(b)satisfies one or more the conditions set out in Part 1 of Schedule 1 to the Scottish Partnerships (Register of People with Significant Control) Regulations 2017 (references to people with significant control over an eligible Scottish partnership) M25; or

(c)otherwise exercises ultimate control over the management of the partnership.

(4) In this regulation “limited liability partnership” has the meaning given by the Limited Liability Partnerships Act 2000 M26.

Meaning of beneficial owner: trusts, similar arrangements and othersU.K.

6.—(1) In these Regulations, “beneficial owner”, in relation to a trust, means each of the following—

(a)the settlor;

(b)the trustees;

(c)the beneficiaries;

(d)where the individuals (or some of the individuals) benefiting from the trust have not been determined, the class of persons in whose main interest the trust is set up, or operates;

(e)any individual who has control over the trust.

(2) In paragraph (1)(e), “control” means a power (whether exercisable alone, jointly with another person or with the consent of another person) under the trust instrument or by law to—

(a)dispose of, advance, lend, invest, pay or apply trust property;

(b)vary or terminate the trust;

(c)add or remove a person as a beneficiary or to or from a class of beneficiaries;

(d)appoint or remove trustees or give another individual control over the trust;

(e)direct, withhold consent to or veto the exercise of a power mentioned in sub-paragraphs (a) to (d).

(3) In these Regulations, “beneficial owner”, in relation to a foundation or other legal arrangement similar to a trust, means those individuals who hold equivalent or similar positions to those set out in paragraph (1).

(4) For the purposes of paragraph (1)—

(a)where an individual is the beneficial owner of a body corporate which is entitled to a specified interest in the capital of the trust property or which has control over the trust, the individual is to be regarded as entitled to the interest or having control over the trust; and

(b)an individual (“P”) does not have control solely as a result of—

(i)P's consent being required in accordance with section 32(1)(c) (power of advancement) of the Trustee Act 1925 M27;

(ii)any discretion delegated to P under section 34 (power of investment and delegation) of the Pensions Act 1995 M28;

(iii)the power to give a direction conferred on P by section 19(2) (appointment and retirement of trustee at instance of beneficiaries) of the Trusts of Land and Appointment of Trustees Act 1996 M29; or

(iv)the power exercisable collectively at common law to vary or extinguish a trust where the beneficiaries under the trust are of full age and capacity and (taken together) absolutely entitled to the property subject to the trust (or, in Scotland, have a full and unqualified right to the fee).

(5) For the purposes of paragraph (4), “specified interest” means a vested interest which is—

(a)in possession or in remainder or reversion (or in Scotland, in fee); and

(b)defeasible or indefeasible.

(6) In these Regulations, “beneficial owner”, in relation to an estate of a deceased person in the course of administration, means—

(a)in England and Wales and Northern Ireland, the executor, original or by representation, or administrator for the time being of a deceased person;

(b)in Scotland, the executor for the purposes of the Executors (Scotland) Act 1900 M30.

(7) In these Regulations, “beneficial owner”, in relation to a legal entity or legal arrangement which does not fall within regulation 5 or paragraphs (1), (3) or (6) of this regulation, means—

(a)any individual who benefits from the property of the entity or arrangement;

(b)where the individuals who benefit from the entity or arrangement have yet to be determined, the class of persons in whose main interest the entity or arrangement is set up or operates;

(c)any individual who exercises control over the property of the entity or arrangement.

(8) For the purposes of paragraph (7), where an individual is the beneficial owner of a body corporate which benefits from or exercises control over the property of the entity or arrangement, the individual is to be regarded as benefiting from or exercising control over the property of the entity or arrangement.

(9) In these Regulations, “beneficial owner”, in any other case, means the individual who ultimately owns or controls the entity or arrangement or on whose behalf a transaction is being conducted.

Supervisory authoritiesU.K.

7.—(1) Subject to paragraph (2), the following bodies are supervisory authorities in relation to relevant persons—

(a)the FCA is the supervisory authority for—

(i)credit and financial institutions (including money service businesses) which are authorised persons but not excluded money service businesses;

(ii)trust or company service providers which are authorised persons;

(iii)Annex 1 financial institutions;

(iv)electronic money institutions;

(v)auction platforms;

(vi)credit unions in Northern Ireland;

(vii)recognised investment exchanges within the meaning of section 285 of FSMA M31 (exemption for recognised investment exchanges [F29, clearing houses and central securities depositories]);

[F30(viii)cryptoasset exchange providers;

(ix)custodian wallet providers;]

(b)each of the professional bodies listed in Schedule 1 is the supervisory authority for relevant persons who are members of it, or regulated or supervised by it;

(c)the Commissioners are the supervisory authority for—

(i)high value dealers;

(ii)money service businesses which are not supervised by the FCA;

(iii)trust or company service providers which are not supervised by the FCA or one of the professional bodies listed in Schedule 1;

(iv)auditors, external accountants and tax advisers who are not supervised by one of the professional bodies listed in Schedule 1;

(v)bill payment service providers which are not supervised by the FCA;

(vi)telecommunication, digital and IT payment service providers which are not supervised by the FCA;

(vii)estate agents [F31and letting agents] which are not supervised by one of the professional bodies listed in Schedule 1;

[F32(viii)art market participants;]

(d)the Gambling Commission is the supervisory authority for casinos.

(2) Where under paragraph (1), there is more than one supervisory authority for a relevant person, the supervisory authorities may agree that one of them will act as the supervisory authority for that person.

(3) Where there has been an agreement under paragraph (2), the authority which has agreed to act as the supervisory authority must notify the relevant person or publish the agreement in such manner as it considers appropriate.

(4) Where there has not been an agreement under paragraph (2), the supervisory authorities for a relevant person must co-operate in the performance of their functions under these Regulations.

(5) For the purposes of paragraph (1)(a)(i), a money service business is an “excluded money service business” if it is an authorised person who has permission under FSMA which relates to or is connected with a contract of the kind mentioned in paragraph 23 or 23B of Schedule 2 M32 to that Act (credit agreements and contracts for hire of goods) but does not have permission to carry on any other kind of regulated activity.

(6) Paragraph (5) must be read with—

(a)section 22 of FSMA (regulated activities) M33;

(b)any relevant order under that section; and

(c)Schedule 2 to that Act.

(7) For the purposes of paragraph (1), a credit union in Northern Ireland is a credit union which is—

(a)registered under regulation 3 of the Credit Unions (Northern Ireland) Order 1985 M34 (registration) and it is an authorised person; or

(b)registered under Part 2 of the Industrial and Provident Societies Act (Northern Ireland) 1969 M35 (registered societies) as a credit union and it is an authorised person.

PART 2U.K.Money Laundering and Terrorist Financing

CHAPTER 1U.K.Application

ApplicationU.K.

8.—(1) Parts 1 to 6 [F33, 7A] and 8 to 11 apply to the persons (“relevant persons”) acting in the course of business carried on by them in the United Kingdom, who—

(a)are listed in paragraph (2); and

(b)do not come within the exclusions set out in regulation 15.

(2) The persons listed in this paragraph are—

(a)credit institutions;

(b)financial institutions;

(c)auditors, insolvency practitioners, external accountants and tax advisers;

(d)independent legal professionals;

(e)trust or company service providers;

(f)estate agents [F34and letting agents];

(g)high value dealers;

(h)casinos;

[F35(i)art market participants;

(j)cryptoasset exchange providers;

(k)custodian wallet providers.]

(3) Regulations 3, 7, 9, 15, 17 to 21, 24, 25, 46, 47, 50 to 52, 65 to 82, 84, 86 to 93, 101, 102 and 106 apply to an auction platform acting in the course of business carried on by it in the United Kingdom, and such an auction platform is a relevant person for the purposes of those provisions.

(4) The definitions in regulations 10 to 14 apply for the purposes of this regulation.

Carrying on business in the United KingdomU.K.

9.—(1) For the purposes of these Regulations, a relevant person (“A”) is to be regarded as carrying on business in the United Kingdom in the cases described in this regulation even if A would not otherwise be regarded as doing so.

F36(2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(3) The second case is where—

(a)A's registered office (or if A does not have a registered office, A's head office) is in the United Kingdom; and

(b)the day-to-day management of the carrying on of A's business is the responsibility of—

(i)that office, or

(ii)another establishment maintained by A in the United Kingdom.

(4) The third case is where—

(a)A is a casino which provides facilities for remote gambling (within the meaning of section 4 of the Gambling Act 2005 (remote gambling) M36) and—

(b)either—

(i)at least one piece of remote gambling equipment (within the meaning of section 36(4) of the Gambling Act 2005 (territorial application)) is situated in Great Britain, or

(ii)no such equipment is situated in Great Britain but the facilities provided by A are used there.

(5) For the purposes of [F37paragraph (3)]—

F38(a). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(b)it is irrelevant where the person with whom the business is carried on is situated.

Credit institutions and financial institutionsU.K.

10.—(1) In these Regulations, “credit institution” means—

(a)a credit institution as defined in Article 4.1(1) of the capital requirements regulation; or

(b)a branch (as defined by Article 4.1(17) of that regulation) located in [F39the United Kingdom] of an institution falling within sub-paragraph (a) (or an equivalent institution whose head office is located in a third country) wherever the institution's head office is located,

when it accepts deposits or other repayable funds from the public or grants credits for its own account (within the meaning of the capital requirements regulation), or when it bids directly in auctions in accordance with the emission allowance auctioning regulation [F40or the UK auctioning regulations] on behalf of its clients.

(2) In these Regulations, “financial institution” means—

(a)an undertaking, including a money service business, other than an institution referred to in paragraph (3), when the undertaking carries out one or more listed activity;

[F41(b)an authorised person (within the meaning of section 31 of FSMA), who has permission under Part 4A of FSMA to carry out or effect contracts of insurance, when carrying out or effecting any contract of long-term insurance (an “insurance undertaking”);]

(c)a person (other than [F42a person falling within one of the exclusions to the definition of “investment firm” in article 3(1) of the Regulated Activities Order]), whose regular occupation or business is the provision to other persons of an investment service or the performance of an investment activity on a professional basis, when—

(i)providing investment services or performing investment activities ([F43within the meaning of that article]); or

(ii)bidding directly in auctions in accordance with the emission allowance auctioning regulation [F44or the UK auctioning regulations] on behalf of its clients;

(d)a person falling within [F45paragraph 1(k) of Part 1 of Schedule 3 to the Regulated Activities Order], when bidding directly in auctions in accordance with the emission allowance auctioning regulation [F46or the UK auctioning regulations] on behalf of clients of the person's main business;

(e)a collective investment undertaking, when marketing or otherwise offering its units or shares;

(f)an insurance intermediary as defined in Article 2.5 of Directive 2002/92/EC of the European Parliament and of the Council of 9th December 2002 on insurance mediation M37, with the exception of a tied insurance intermediary as mentioned in Article 2.7 of that Directive [F47(and for this purpose, Article 2.7 is to be read as if “insurance undertaking” has the meaning given in sub-paragraph (b))], when it acts in respect of contracts of long-term insurance;

(g)a branch located in [F48the United Kingdom] of a person referred to in sub-paragraphs (a) to (f) (or an equivalent person whose head office is located in a third country), wherever the person's head office is located, when carrying out any activity mentioned in sub-paragraphs (a) to (f);

(h)the National Savings Bank;

(i)the Director of Savings, when money is raised under the auspices of the Director under the National Loans Act 1968 M38.

(3) For the purposes of paragraph (2)(a), the institutions referred to are—

(a)a credit institution;

(b)an undertaking whose only listed activity is as a creditor under an agreement which—

(i)falls within section 12(a) of the Consumer Credit Act 1974 M39 (debtor-creditor-supplier agreements);

(ii)provides fixed sum credit (within the meaning given in section 10(1)(b) of the Consumer Credit Act 1974 (running-account credit and fixed-sum credit)) in relation to the provision of services; and

(iii)provides financial accommodation by way of deferred payment or payment by instalments over a period not exceeding 12 months;

(c)an undertaking whose only listed activity is trading for its own account in one or more of the products listed in point 7 of F49...[F50 Schedule 2] where the undertaking does not have a customer (and, for this purpose, “customer” means a person other than the undertaking which is not a member of the same group as the undertaking).

[F51(4) For the purposes of this regulation—

(a)a “listed activity” means an activity listed in points 2 to 12, 14 and 15 of F52... Schedule 2;

(b)“Regulated Activities Order” means the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001.]

Auditors and othersU.K.

11.  In these Regulations—

(a)“auditor” means any firm or individual who is—

(i)a statutory auditor within the meaning of Part 42 of the Companies Act 2006 M40 (statutory auditors), when carrying out statutory audit work within the meaning of section 1210 of that Act (meaning of statutory auditor), or

(ii)a local auditor within the meaning of section 4(1) of the Local Audit and Accountability Act 2014 (general requirements for audit) M41, when carrying out an audit required by that Act.

(b)“insolvency practitioner” means any firm or individual who acts as an insolvency practitioner within the meaning of section 388 of the Insolvency Act 1986 M42 or article 3 of the Insolvency (Northern Ireland) Order 1989 M43 (meaning of “act as insolvency practitioner”).

(c)“external accountant” means a firm or sole practitioner who by way of business provides accountancy services to other persons, when providing such services.

(d)“tax adviser” means a firm or sole practitioner who by way of business provides [F53material aid, or assistance or advice, in connection with the tax affairs of other persons, whether provided directly or through a third party], when providing such services.

Independent legal professionals and trust or company service providersU.K.

12.—(1) In these Regulations, “independent legal professional” means a firm or sole practitioner who by way of business provides legal or notarial services to other persons, when participating in financial or real property transactions concerning—

(a)the buying and selling of real property or business entities;

(b)the managing of client money, securities or other assets;

(c)the opening or management of bank, savings or securities accounts;

(d)the organisation of contributions necessary for the creation, operation or management of companies; or

(e)the creation, operation or management of trusts, companies, foundations or similar structures,

and, for this purpose, a person participates in a transaction by assisting in the planning or execution of the transaction or otherwise acting for or on behalf of a client in the transaction.

(2) In these Regulations, “trust or company service provider” means a firm or sole practitioner who by way of business provides any of the following services to other persons, when that firm or practitioner is providing such services—

[F54(a)forming a firm;]

(b)acting, or arranging for another person to act—

(i)as a director or secretary of a company;

(ii)as a partner of a partnership; or

(iii)in a similar capacity in relation to other legal persons;

(c)providing a registered office, business address, correspondence or administrative address or other related services for a company, partnership or any other legal person or legal arrangement;

(d)acting, or arranging for another person to act, as—

(i)a trustee of an express trust or similar legal arrangement; or

(ii)a nominee shareholder for a person other than a company whose securities are listed on a regulated market.

Estate agents [F55and letting agents]U.K.

13.—(1) In these Regulations, “estate agent” means a firm or a sole practitioner, who, or whose employees, carry out estate agency work, when the work is being carried out.

(2) For the purposes of paragraph (1) “estate agency work” is to be read in accordance with section 1 of the Estate Agents Act 1979 M44 (estate agency work), but for those purposes references in that section to disposing of or acquiring an interest in land are (despite anything in section 2 of that Act) to be taken to include references to disposing of or acquiring an estate or interest in land outside the United Kingdom where that estate or interest is capable of being owned or held as a separate interest.

[F56(3) In these Regulations, “letting agent” means a firm or sole practitioner who, or whose employees, carry out letting agency work, when carrying out such work.

(4) For the purposes of paragraph (3), “letting agency work” means work—

(a)consisting of things done in response to instructions received from—

(i)a person (a “prospective landlord”) seeking to find another person to whom to let land, or

(ii)a person (a “prospective tenant”) seeking to find land to rent, and

(b)done in a case where an agreement is concluded for the letting of land—

(i)for a term of a month or more, and

(ii)at a rent which during at least part of the term is, or is equivalent to, a monthly rent of 10,000 euros or more.

(5) For the purposes of paragraph (3) “letting agency work” does not include the things listed in paragraph (6) when done by, or by employees of, a firm or sole practitioner if neither the firm or sole practitioner, nor any of their employees, does anything else within paragraph (4).

(6) Those things are—

(a)publishing advertisements or disseminating information;

(b)providing a means by which a prospective landlord or a prospective tenant can, in response to an advertisement or dissemination of information, make direct contact with a prospective tenant or a prospective landlord;

(c)providing a means by which a prospective landlord and a prospective tenant can communicate directly with each other;

(d)the provision of legal or notarial services by a barrister, advocate, solicitor or other legal representative communications with whom may be the subject of a claim to professional privilege or, in Scotland, protected from disclosure in legal proceedings on grounds of confidentiality of communication.

(7) In paragraph (4) “land” includes part of a building and part of any other structure.]

High value dealers, [F57casinos, auction platforms and art market participants]U.K.

14.—(1) In these Regulations—

(a)“high value dealer” means a firm or sole trader who by way of business trades in goods (including an auctioneer dealing in goods), when the trader makes or receives, in respect of any transaction, a payment or payments in cash of at least 10,000 euros in total, whether the transaction is executed in a single operation or in several operations which appear to be linked;

(b)“casino” means the holder of a casino operating licence and, for this purpose, a “casino operating licence” has the meaning given by section 65(2)(a) of the Gambling Act 2005 M45 (nature of licence);

(c)“auction platform” means a platform which auctions two-day spot or five-day futures, within the meanings given by [F58regulation 2(1) of the UK auctioning regulations], when it carries out activities covered by that regulation.

[F59(d)“art market participant” means [F60, subject to paragraph (3),] a firm or sole practitioner who—

(i)by way of business trades in, or acts as an intermediary in the sale or purchase of, works of art and the value of the transaction, or a series of linked transactions, amounts to 10,000 euros or more; or

(ii)is the operator of a freeport when it, or any other firm or sole practitioner, by way of business stores works of art in the freeport and the value of the works of art so stored for a person, or a series of linked persons, amounts to 10,000 euros or more;

(e)“freeport” means a warehouse or storage facility within an area designated by the Treasury as a special area for customs purposes pursuant to section 100A(1) of the Customs and Excise Management Act 1979 (designation of free zones) M46;

(f)“work of art” means anything which, in accordance with section 21(6) to (6B) of the Value Added Tax Act 1994 (value of imported goods) M47, is a work of art for the purposes of section 21(5)(a) of that Act.]

(2) A payment does not cease to be a “payment in cash” for the purposes of paragraph (1)(a) if cash is paid by or on behalf of the person making the payment—

(a)to a person other than the other party to the transaction for the benefit of the other party, or

(b)into a bank account for the benefit of the other party to the transaction.

[F61(3) A firm or sole practitioner is not an art market participant for the purposes of paragraph (1)(d)(i) in relation to the sale of a work of art which is created by, or is attributable to, a member of the firm or the sole practitioner.]

[F62Cryptoasset exchange providers and custodian wallet providersU.K.

14A.—(1) In these Regulations, “cryptoasset exchange provider” means a firm or sole practitioner who by way of business provides one or more of the following services, including where the firm or sole practitioner does so as creator or issuer of any of the cryptoassets involved, when providing such services—

(a)exchanging, or arranging or making arrangements with a view to the exchange of, cryptoassets for money or money for cryptoassets,

(b)exchanging, or arranging or making arrangements with a view to the exchange of, one cryptoasset for another, or

(c)operating a machine which utilises automated processes to exchange cryptoassets for money or money for cryptoassets.

(2) In these Regulations, “custodian wallet provider” means a firm or sole practitioner who by way of business provides services to safeguard, or to safeguard and administer—

(a)cryptoassets on behalf of its customers, or

(b)private cryptographic keys on behalf of its customers in order to hold, store and transfer cryptoassets,

when providing such services.

(3) For the purposes of this regulation—

(a)“cryptoasset” means a cryptographically secured digital representation of value or contractual rights that uses a form of distributed ledger technology and can be transferred, stored or traded electronically;

(b)“money” means—

(i)money in sterling,

(ii)money in any other currency, or

(iii)money in any other medium of exchange,

but does not include a cryptoasset; and

(c)in sub-paragraphs (a), (b) and (c) of paragraph (1), “cryptoasset” includes a right to, or interest in, the cryptoasset.]

ExclusionsU.K.

15.—(1) Parts 1 to 4, 6 and 8 to 11 do not apply to the following persons when carrying on any of the following activities—

(a)a registered society within the meaning of section 1 of the Co-operative and Community Benefit Societies Act 2014 (meaning of “registered society”) M46, when it—

(i)issues withdrawable share capital within the limit set by section 24 of that Act (maximum shareholding in society); or

(ii)accepts deposits from the public within the limit set by section 67(2) of that Act (carrying on of banking by societies);

(b)a society registered under the Industrial and Provident Societies Act (Northern Ireland) 1969 M47, when it—

(i)issues withdrawable share capital within the limit set by section 6 M48 of that Act (maximum shareholding in society); or

(ii)accepts deposits from the public within the limit set by section 7(3) of that Act (carrying on of banking by societies);

(c)a person who is (or falls within a class of persons) specified in any of paragraphs 2 to 23, 26 to 38 or 40 to 49 of the Schedule to the Financial Services and Markets Act 2000 (Exemption) Order 2001 M49, when carrying out any activity in respect of which that person is exempt;

(d)a local authority within the meaning given in article 3(1) of the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 M50, when carrying on an activity which would be a regulated activity for the purposes of FSMA but for article 72G of that Order M51;

(e)a person who was an exempted person for the purposes of section 45 of the Financial Services Act 1986 M52 (miscellaneous exemptions) immediately before its repeal, when exercising the functions specified in that section;

(f)a person whose main activity is that of a high value dealer, when engaging in financial activity on an occasional or very limited basis as set out in paragraph (3); or

(g)a person preparing a home report, which for these purposes means the documents prescribed for the purposes of section 98, 99(1) or 101(2) of the Housing (Scotland) Act 2006 (duties: information and others) M53.

(2) These Regulations do not apply to a person who falls within regulation 8 solely as a result of that person engaging in financial activity on an occasional or very limited basis as set out in paragraph (3).

(3) For the purposes of paragraphs (1)(f) and (2), a person is to be considered as engaging in financial activity on an occasional or very limited basis if all the following conditions are met—

(a)the person's total annual turnover in respect of the financial activity does not exceed £100,000;

(b)the financial activity is limited in relation to any customer to no more than one transaction exceeding 1,000 euros, whether the transaction is carried out in a single operation, or a series of operations which appear to be linked;

(c)the financial activity does not exceed 5% of the person's total annual turnover;

(d)the financial activity is ancillary and directly related to the person's main activity;

(e)the financial activity is not the transmission or remittance of money (or any representation of monetary value) by any means;

(f)the person's main activity is not that of a person falling within regulation 8(2)(a) to (f) or (h) [F63to (k)];

(g)the financial activity is provided only to customers of the main activity of the person and is not offered to the public.

(4) Chapters 2 and 3 of Part 2, and Parts 3 to 9, do not apply to—

(a)the Auditor General for Scotland;

(b)the Auditor General for Wales;

(c)the Bank of England;

(d)the Comptroller and Auditor General;

(e)the Comptroller and Auditor General for Northern Ireland;

(f)the Official Solicitor to the Supreme Court, when acting as trustee in his or her official capacity;

(g)the Treasury Solicitor.

CHAPTER 2U.K.Risk assessment and controls

Risk assessment by the Treasury and Home OfficeU.K.

16.—(1) The Treasury and the Home Office must make arrangements before 26th June 2018 for a risk assessment to be undertaken to identify, assess, understand and mitigate the risks of money laundering and terrorist financing affecting the United Kingdom (“the risk assessment”).

(2) The risk assessment must, among other things—

(a)identify any areas where relevant persons should apply enhanced customer due diligence measures, and where appropriate, specify the measures to be taken;

(b)identify, where appropriate, the sectors or areas of lower and greater risk of money laundering and terrorist financing;

(c)consider whether any rules on money laundering and terrorist financing made by a supervisory authority applying in relation to the sector it supervises are appropriate in the light of the risks of money laundering and terrorist financing applying to that sector;

(d)provide the information and analysis necessary to enable it to be used for the purposes set out in paragraph (3).

(3) The Treasury and the Home Office must ensure that the risk assessment is used to—

(a)consider the appropriate allocation and prioritisation of resources to counter money laundering and terrorist financing;

(b)consider whether the exclusions provided for in regulation 15 are being abused;

(c)consider whether providers of gambling services other than casinos should continue to be excluded from the requirements of these Regulations.

(4) For the purpose of paragraph (3)(c), a “provider of gambling services” means a person who by way of business provides facilities for gambling within the meaning of section 5 of the Gambling Act 2005 (facilities for gambling) M54.

F64(5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(6) The Treasury and the Home Office must prepare a joint report setting out, as appropriate, the findings of the risk assessment as soon as reasonably practicable after the risk assessment is completed.

[F65(6A) The report must also set out—

(a)the institutional structure and broad procedures of the United Kingdom’s anti-money laundering and counter-terrorist financing regime, including the role of the financial intelligence unit, tax agencies and prosecutors;

(b)the nature of measures taken and resources allocated to counter money laundering and terrorist financing.]

(7) A copy of that report must be laid before Parliament, and sent to—

(a)the PRA;

(b)the supervisory authorities;

F66(c). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F67(d). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F68(e). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(8) If information from the risk assessment would assist the supervisory authorities in carrying out their own money laundering and terrorist financing risk assessment, the Treasury and the Home Office must, where appropriate, make that information available to those supervisory authorities, unless to do so would not be compatible with restrictions on sharing information imposed by or under [F69—

(a)the Data Protection Act 2018 or any other enactment, or

(b)the [F70UK GDPR].]

(9) The Treasury and the Home Office must take appropriate steps to ensure that the risk assessment is kept up-to-date.

[F71Risk assessment by the TreasuryU.K.

16A.—(1) The Treasury must make arrangements for a risk assessment to be undertaken to identify, assess, understand and mitigate the risks of proliferation financing affecting the United Kingdom (“the proliferation financing risk assessment”).

(2) The proliferation financing risk assessment must, among other things—

(a)identify, where appropriate, the sectors or areas of lower and greater risk of proliferation financing;

(b)provide the information and analysis necessary to enable it to be used for the purposes set out in paragraph (3).

(3) The Treasury must ensure that the proliferation financing risk assessment is used to—

(a)consider the appropriate allocation and prioritisation of resources to counter proliferation financing;

(b)consider whether the exclusions provided for in regulation 15 (exclusions) are being abused.

(4) The Treasury must prepare a report setting out, as appropriate, the findings of the proliferation financing risk assessment as soon as reasonably practicable after the proliferation financing risk assessment is completed.

(5) A copy of that report must be laid before Parliament and sent to the supervisory authorities.

(6) The Treasury must take appropriate steps to ensure that the proliferation financing risk assessment is kept up-to-date.

(7) The proliferation financing risk assessment may be included in the risk assessment made under regulation 16 (risk assessment by the Treasury and Home Office).

(8) The report referred to in paragraph (4) may be included within the joint report of the Treasury and Home Office referred to in regulation 16(6).

(9) In this regulation, “proliferation financing” means the act of providing funds or financial services for use, in whole or in part, in the manufacture, acquisition, development, export, trans-shipment, brokering, transport, transfer, stockpiling of, or otherwise in connection with the possession or use of, chemical, biological, radiological or nuclear weapons, including the provision of funds or financial services in connection with the means of delivery of such weapons and other CBRN-related goods and technology, in contravention of a relevant financial sanctions obligation.

(10) In this regulation—

“biological weapon” means a biological agent or toxin (within the meaning of section 1(1)(a) of the Biological Weapons Act 1974F72) in a form capable of use for hostile purposes or anything to which section 1(1)(b) of that Act applies;

“chemical weapon” has the meaning given by section 1 of the Chemical Weapons Act 1996F73;

“CBRN-related goods and technology” means technology (including dual-use technology) and dual-use goods used for non-legitimate purposes in connection with the matters referred to in paragraph (9);

“dual-use goods” means (a) any thing for the time being specified in Annex I of the Dual-Use Regulation, other than any thing which is dual-use technology, and (b) any tangible storage medium on which dual use technology is recorded or from which it can be derived;

“Dual-Use Regulation” means Council Regulation (EC) No 428/2009 of 5 May 2009F74 setting up a Community regime for the control of exports, transfer, brokering and transit of dual-use items;

“dual-use technology” means any thing for the time being specified in Annex I of the Dual-Use Regulation which is described as software or technology;

“nuclear weapon” includes a nuclear explosive device that is not intended for use as a weapon;

“radiological weapon” means a device designed to cause destruction, damage or injury by means of the radiation produced by the decay of radioactive material;

“relevant financial sanctions obligation” means a prohibition or requirement in regulations made under section 1 of the Sanctions and Anti-Money Laundering Act 2018F75 and imposed for one or more of the purposes in section 3(1) or (2) of that Act so far as it relates to compliance with a relevant UN obligation;

“relevant UN obligation” means an obligation that the UK has by virtue of a resolution adopted by the Security Council of the United Nations which relates to the prevention, suppression and disruption of the proliferation of weapons of mass destruction and the financing of such;

“technology” has the meaning given by paragraph 37 of Schedule 1 to the Sanctions and Anti-Money Laundering Act 2018.]

Risk assessment by supervisory authoritiesU.K.

17.—(1) Each supervisory authority must identify and assess the international and domestic risks of money laundering and terrorist financing to which those relevant persons for which it is the supervisory authority (“its own sector”) are subject.

(2) In carrying out the risk assessment required under paragraph (1), the supervisory authority must take into account—

F76(a). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F77(b). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(c)the report prepared by the Treasury and the Home Office under regulation 16(6); and

(d)information made available by the Treasury and the Home Office under regulation 16(8).

(3) A supervisory authority must keep an up-to-date record in writing of all the steps it has taken under paragraph (1).

(4) Each supervisory authority must develop and record in writing risk profiles for each relevant person in its own sector.

(5) A supervisory authority may prepare a single risk profile under paragraph (4) in relation to two or more relevant persons in its sector, if—

(a)the relevant persons share similar characteristics; and

(b)the risks of money laundering and terrorist financing affecting those relevant persons do not differ significantly.

(6) Where a supervisory authority has prepared a single risk profile for two or more relevant persons in its sector (a “cluster”), the supervisory authority must keep under review whether an individual risk profile should be prepared in relation to any relevant person in the cluster because sub-paragraph (a) or (b) (or both sub-paragraphs) of paragraph (5) are no longer satisfied in relation to that person.

(7) In developing the risk profiles referred to in paragraph (4), the supervisory authority must take full account of the risks that relevant persons in its own sector will not take appropriate action to identify, understand and mitigate money laundering and terrorist financing risks.

(8) Each supervisory authority must review the risk profiles developed under paragraph (4) at regular intervals and following any significant event or developments which might affect the risks to which its own sector is subject, such as—

(a)significant external events that change the nature of the money laundering or terrorist financing risks;

(b)emerging money laundering or terrorist financing risks;

(c)any findings resulting from measures taken by other supervisory authorities;

(d)any changes in the way in which its own sector is operated;

(e)significant changes in regulation.

(9) If information from the risk assessment carried out under paragraph (1), or from information provided to the supervisory authority under regulation 16(8), would assist relevant persons in carrying out their own money laundering and terrorist financing risk assessment, the supervisory authority must, where appropriate, make that information available to those persons, unless to do so would not be compatible with restrictions on sharing information imposed by or under [F78—

(a)the Data Protection Act 2018 or any other enactment, or

(b)the [F79UK GDPR].]

Risk assessment by relevant personsU.K.

18.—(1) A relevant person must take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject.

(2) In carrying out the risk assessment required under paragraph (1), a relevant person must take into account—

(a)information made available to them by the supervisory authority under regulations 17(9) and 47, and

(b)risk factors including factors relating to—

(i)its customers;

(ii)the countries or geographic areas in which it operates;

(iii)its products or services;

(iv)its transactions; and

(v)its delivery channels.

(3) In deciding what steps are appropriate under paragraph (1), the relevant person must take into account the size and nature of its business.

(4) A relevant person must keep an up-to-date record in writing of all the steps it has taken under paragraph (1), unless its supervisory authority notifies it in writing that such a record is not required.

(5) A supervisory authority may not give the notification referred to in paragraph (4) unless it considers that the risks of money laundering and terrorist financing applicable to the sector in which the relevant person operates are clear and understood.

(6) A relevant person must provide the risk assessment it has prepared under paragraph (1), the information on which that risk assessment was based and any record required to be kept under paragraph (4), to its supervisory authority on request.

[F80Risk assessment by relevant persons in relation to proliferation financingU.K.

18A.—(1) A relevant person must take appropriate steps to identify and assess the risks of proliferation financing to which its business is subject.

(2) In carrying out the risk assessment required under paragraph (1), a relevant person must take into account—

(a)information in the report referred to in regulation 16A (risk assessment by the Treasury); and

(b)risk factors including factors relating to—

(i)its customers;

(ii)the countries or geographic areas in which it operates;

(iii)its products or services;

(iv)its transactions; and

(v)its delivery channels.

(3) In deciding what steps are appropriate under paragraph (1), the relevant person must take into account the size and nature of its business.

(4) A relevant person must keep an up-to-date record in writing of all the steps it has taken under paragraph (1), unless its supervisory authority notifies it in writing that such a record is not required.

(5) A relevant person must provide the risk assessment it has prepared under paragraph (1), the information on which that risk assessment was based and any record required to be kept under paragraph (4), to its supervisory authority on request.]

Policies, controls and proceduresU.K.

19.—(1) A relevant person must—

(a)establish and maintain policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing identified in any risk assessment undertaken by the relevant person under regulation 18(1);

(b)regularly review and update the policies, controls and procedures established under sub-paragraph (a);

(c)maintain a record in writing of—

(i)the policies, controls and procedures established under sub-paragraph (a);

(ii)any changes to those policies, controls and procedures made as a result of the review and update required by sub-paragraph (b); and

(iii)the steps taken to communicate those policies, controls and procedures, or any changes to them, within the relevant person's business.

(2) The policies, controls and procedures adopted by a relevant person under paragraph (1) must be—

(a)proportionate with regard to the size and nature of the relevant person's business, and

(b)approved by its senior management.

(3) The policies, controls and procedures referred to in paragraph (1) must include—

(a)risk management practices;

(b)internal controls (see regulations 21 to 24);

(c)customer due diligence (see regulations 27 to 38);

(d)reliance and record keeping (see regulations 39 to 40);

(e)the monitoring and management of compliance with, and the internal communication of, such policies, controls and procedures.

(4) The policies, controls and procedures referred to in paragraph (1) must include policies, controls and procedures—

(a)which provide for the identification and scrutiny of—

(i)any case where—

(aa)a transaction is complex [F81or] unusually large, or there is an unusual pattern of transactions, [F82or]

(bb)the transaction or transactions have no apparent economic or legal purpose, and

(ii)any other activity or situation which the relevant person regards as particularly likely by its nature to be related to money laundering or terrorist financing;

(b)which specify the taking of additional measures, where appropriate, to prevent the use for money laundering or terrorist financing of products and transactions which might favour anonymity;

(c)which ensure that when [F83new products, new business practices (including new delivery mechanisms) or new technology are] adopted by the relevant person, appropriate measures are taken in preparation for, and during, the adoption of such [F84products, practices or] technology to assess and if necessary mitigate any money laundering or terrorist financing risks this new [F85product, practice or] technology may cause;

(d)under which anyone in the relevant person's organisation who knows or suspects (or has reasonable grounds for knowing or suspecting) that a person is engaged in money laundering or terrorist financing as a result of information received in the course of the business or otherwise through carrying on that business is required to comply with—

(i)Part 3 of the Terrorism Act 2000 M55; or

(ii)Part 7 of the Proceeds of Crime Act 2002 M56;

(e)which, in the case of a money service business that uses agents for the purpose of its business, ensure that appropriate measures are taken by the business to assess—

(i)whether an agent used by the business would satisfy the fit and proper test provided for in regulation 58; and

(ii)the extent of the risk that the agent may be used for money laundering or terrorist financing.

(5) In determining what is appropriate or proportionate with regard to the size and nature of its business, a relevant person may take into account any guidance which has been—

(a)issued by the FCA; or

(b)issued by any other supervisory authority or appropriate body and approved by the Treasury.

(6) A relevant person must, where relevant, communicate the policies, controls and procedures which it establishes and maintains in accordance with this regulation to its branches and subsidiary undertakings which are located outside the United Kingdom.

[F86Policies, controls and procedures in relation to proliferation financingU.K.

19A.—(1) A relevant person must—

(a)establish and maintain policies, controls and procedures to mitigate and manage effectively the risks of proliferation financing identified in any risk assessment undertaken by the relevant person under regulation 18A(1);

(b)regularly review and update the policies, controls and procedures established under sub-paragraph (a);

(c)maintain a record in writing of—

(i)the policies, controls and procedures established under sub-paragraph (a);

(ii)any changes to those policies, controls and procedures made as a result of the review and update required by sub-paragraph (b); and

(iii)the steps taken to communicate those policies, controls and procedures, or any changes to them, within the relevant person’s business.

(2) The policies, controls and procedures adopted by a relevant person under paragraph (1) must be—

(a)proportionate with regard to the size and nature of the relevant person’s business; and

(b)approved by its senior management.

(3) The policies, controls and procedures referred to in paragraph (1) must include—

(a)risk management practices;

(b)internal controls (see regulations 21 to 24)F87;

(c)the monitoring and management of compliance with, and the internal communication of, such policies, controls and procedures.

(4) The policies, controls and procedures referred to in paragraph (1) must include policies, controls and procedures—

(a)which provide for the identification and scrutiny of—

(i)any case where—

(aa)a transaction is complex or unusually large, or there is an unusual pattern of transactions; or

(bb)the transaction or transactions have no apparent economic or legal purpose, and

(ii)any other activity or situation which the relevant person regards as particularly likely by its nature to be related to proliferation financing;

(b)which specify the taking of additional measures, where appropriate, to prevent the use for proliferation financing of products and transactions which might favour anonymity;

(c)which ensure that when new products, new business practices (including new delivery mechanisms) or new technology are adopted by the relevant person, appropriate measures are taken in preparation for, and during, the adoption of such products, practices or technology to assess and if necessary mitigate any proliferation financing risks this new product, practice or technology may cause;

(d)which, in the case of a money service business that uses agents for the purpose of its business, ensure that appropriate measures are taken by the business to assess—

(i)whether an agent used by the business would satisfy the fit and proper test provided for in regulation 58F88; and

(ii)the extent of the risk that the agent may be used for proliferation financing.

(5) A relevant person must, where relevant, communicate the policies, controls and procedures which it establishes and maintains in accordance with this regulation to its branches and subsidiary undertakings which are located outside the United Kingdom.]

Policies, controls and procedures: group levelU.K.

20.—(1) A relevant parent undertaking must—

(a)ensure that the policies, controls and procedures referred to in [F89regulations 19(1) and 19A(1)] apply—

(i)to all its subsidiary undertakings, including subsidiary undertakings located outside the United Kingdom; and

(ii)to any branches it has established outside the United Kingdom;

which is carrying out any activity in respect of which the relevant person is subject to these Regulations;

(b)establish and maintain throughout its group the policies, controls and procedures for data protection and sharing information for the purposes of preventing [F90money laundering, terrorist financing and proliferation financing] with other members of the group [F91, including policies on the sharing of information about customers, customer accounts and transactions;]

(c)regularly review and update the policies, controls and procedures applied and established under sub-paragraphs (a) and (b);

(d)maintain a record in writing of—

(i)the policies, controls and procedures established under sub-paragraphs (a) and (b);

(ii)any changes to those policies, controls and procedures made as a result of the review and update required by sub-paragraph (c); and

(iii)the steps taken to communicate those policies, controls and procedures, or any changes to them, to its subsidiary undertakings and branches.

F92(2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(3) If any of the subsidiary undertakings or branches of a relevant parent undertaking are established in a third country which does not impose requirements to counter [F93money laundering, terrorist financing and proliferation financing] as strict as those of the United Kingdom, the relevant parent undertaking must ensure that those subsidiary undertakings and branches apply measures equivalent to those required by these Regulations, as far as permitted under the law of the third country.

(4) Where the law of a third country does not permit the application of such equivalent measures by the subsidiary undertaking or branch established in that country, the relevant parent undertaking must—

(a)inform its supervisory authority accordingly; and

(b)take additional measures to handle the risk of [F94money laundering, terrorist financing and proliferation financing].

(5) A relevant parent undertaking must ensure that information relevant to the prevention of [F95money laundering, terrorist financing and proliferation financing] is shared as appropriate between members of its group, subject to any restrictions on sharing information imposed by or under any enactment or otherwise.

[F96(6) The FCA may make technical standards specifying—

(a)what additional measures are required from credit institutions and financial institutions under paragraph (4); and

(b)the minimum action to be taken by credit institutions and financial institutions where paragraph (4) applies.]

Internal controlsU.K.

21.—(1) Where appropriate with regard to the size and nature of its business, a relevant person must—

(a)appoint one individual who is a member of the board of directors (or if there is no board, of its equivalent management body) or of its senior management as the officer responsible for the relevant person's compliance with these Regulations;

(b)carry out screening of relevant employees appointed by the relevant person, both before the appointment is made and during the course of the appointment;

(c)establish an independent audit function with the responsibility—

(i)to examine and evaluate the adequacy and effectiveness of the policies, controls and procedures adopted by the relevant person to comply with the requirements of these Regulations;

(ii)to make recommendations in relation to those policies, controls and procedures; and

(iii)to monitor the relevant person's compliance with those recommendations.

(2) For the purposes of paragraph (1)(b)—

(a)“screening” means an assessment of—

(i)the skills, knowledge and expertise of the individual to carry out their functions effectively;

(ii)the conduct and integrity of the individual;

(b)a relevant employee is an employee whose work is—

(i)relevant to the relevant person's compliance with any requirement in these Regulations, or

(ii)otherwise capable of contributing to the—

(aa)identification or mitigation of the risks of [F97money laundering, terrorist financing and proliferation financing] to which the relevant person's business is subject, or

(bb)prevention or detection of [F98money laundering, terrorist financing and proliferation financing] in relation to the relevant person's business.

(3) An individual in the relevant person's firm must be appointed as a nominated officer.

(4) A relevant person must, within 14 days of the appointment, inform its supervisory authority of—

(a)the identity of the individual first appointed under paragraph (1)(a);

(b)the identity of the individual first appointed under paragraph (3); and

(c)of any subsequent appointment to either of those positions.

(5) Where a disclosure is made to the nominated officer, that officer must consider it in the light of any relevant information which is available to the relevant person and determine whether it gives rise to knowledge or suspicion or reasonable grounds for knowledge or suspicion that a person is engaged in money laundering or terrorist financing.

(6) Paragraphs (1) and (3) do not apply where the relevant person is an individual who neither employs nor acts in association with any other person.

(7) A relevant person who is an electronic money issuer or a payment service provider must appoint an individual to monitor and manage compliance with, and the internal communication of, the policies, controls and procedures adopted by the relevant person under regulation 19(1) [F99or 19A(1)], and in particular to—

(a)identify any situations of higher risk of [F100money laundering, terrorist financing or proliferation financing];

(b)maintain a record of its policies, controls and procedures, risk assessment and risk management including the application of such policies and procedures;

(c)apply measures to ensure that its policies, controls and procedures are taken into account in all relevant functions including in the development of new products, dealing with new customers and in changes to business activities; and

(d)provide information to senior management about the operation and effectiveness of its policies, controls and procedures whenever appropriate and at least annually.

(8) A relevant person must establish and maintain systems which enable it to respond fully and rapidly to enquiries from any person specified in paragraph (9) as to—

(a)whether it maintains, or has maintained during the previous five years, a business relationship with any person; and

(b)the nature of that relationship.

(9) The persons specified in this paragraph are—

(a)financial investigators accredited under section 3 of the Proceeds of Crime Act 2002 (accreditation and training) M57;

(b)persons acting on behalf of the Scottish Ministers in their capacity as an enforcement authority under that Act; and

(c)constables or equivalent officers of any law enforcement authority.

(10) In determining what is appropriate with regard to the size and nature of its business, a relevant person—

(a)must take into account its risk assessment under regulation 18(1) [F101and 18A(1)]; and

(b)may take into account any guidance which has been—

(i)issued by the FCA; or

(ii)issued by any other supervisory authority or appropriate body and approved by the Treasury.

Central contact points: electronic money issuers and payment service providersU.K.

F10222.  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Requirement on authorised person to inform the FCAU.K.

23.—(1) An authorised person whose supervisory authority is the FCA must, before acting as a money service business or a trust or company service provider or within 28 days of so doing, inform the FCA that it intends, or has begun, to act as such.

(2) Paragraph (1) does not apply to an authorised person which—

(a)immediately before the day on which these Regulations come into force (“the relevant date”) was acting as a money service business or a trust or company service provider and continues to act as such after that date; and

(b)informs the FCA that it is acting as such within 30 days of the relevant date.

(3) Where an authorised person whose supervisory authority is the FCA ceases to act as a money service business or a trust or company service provider, it must within 28 days inform the FCA.

(4) Any requirement imposed by this regulation is to be treated as if it were a requirement imposed by or under FSMA.

(5) Any information to be provided to the FCA under this regulation must be in such form or verified in such manner as it may specify.

TrainingU.K.

24.—(1) A relevant person must—

(a)take appropriate measures to ensure that its relevant employees [F103, and any agents it uses for the purposes of its business whose work is of a kind mentioned in paragraph (2),] are—

(i)made aware of the law relating to [F104money laundering, terrorist financing and proliferation financing], and to the requirements of data protection, which are relevant to the implementation of these Regulations; and

(ii)regularly given training in how to recognise and deal with transactions and other activities or situations which may be related to [F105money laundering, terrorist financing or proliferation financing];

(b)maintain a record in writing of the measures taken under sub-paragraph (a), and in particular, of the training given to its relevant employees [F106and to any agents it uses for the purposes of its business whose work is of a kind mentioned in paragraph (2)].

(2) For the purposes of paragraph (1), a relevant employee is an employee whose work is—

(a)relevant to the relevant person's compliance with any requirement in these Regulations, or

(b)otherwise capable of contributing to the—

(i)identification or mitigation of the risk of [F107money laundering, terrorist financing and proliferation financing] to which the relevant person's business is subject; or

(ii)prevention or detection of [F108money laundering, terrorist financing and proliferation financing] in relation to the relevant person's business.

(3) In determining what measures are appropriate under paragraph (1), a relevant person—

(a)must take account of—

(i)the nature of its business;

(ii)its size;

(iii)the nature and extent of the risks of [F109money laundering, terrorist financing and proliferation financing] to which its business is subject; and

(b)may take into account any guidance which has been—

(i)issued by the FCA; or

(ii)issued by any other supervisory authority or appropriate body and approved by the Treasury.

Supervisory actionU.K.

25.—(1) The supervisory authority must determine whether the additional measures taken under regulation 20(4) by a relevant parent undertaking which is an authorised person [F110, a qualifying parent undertaking (as defined by section 192B of FSMA) or a non-authorised parent undertaking (as defined by section 143B of FSMA)] are sufficient to handle the risk of money laundering and terrorist financing effectively.

(2) If the supervisory authority does not consider the measures referred to in paragraph (1) to be sufficient, it must consider whether to direct the relevant parent undertaking—

(a)not to enter into a business relationship with a specified person;

(b)not to undertake transactions of a specified description with a specified person;

(c)to terminate an existing business relationship with a specified person;

(d)to cease any operations in the third country.

(e)to ensure that its subsidiary undertaking—

(i)does not enter into a business relationship with a specified person;

(ii)terminates an existing business relationship with a specified person; or

(iii)does not undertake transactions of a specified description with a specified person, or ceases any operations in the third country.

(3) A direction issued under paragraph (2) takes effect—

(a)immediately, if the notice given under paragraph (6) states that that is the case;

(b)on such date as may be specified in the notice; or

(c)if no such date is specified in the notice, when the matter to which the notice relates is no longer open to review.

(4) For the purposes of paragraph (3), a matter to which a notice relates is still open to review if—

(a)the period during which any person may refer the matter to the appropriate tribunal is still running;

(b)the matter has been referred to the appropriate tribunal but has not been dealt with;

(c)the matter has been referred to the appropriate tribunal and dealt with but the period during which an appeal may be brought against the appropriate tribunal's decision is still running; or

(d)such an appeal has been brought but has not been determined.

(5) Where the FCA proposes to issue a direction under paragraph (2) to a PRA-authorised person or to a person who has a qualifying relationship with a PRA-authorised person, it must consult the PRA.

(6) If the supervisory authority issues a direction under paragraph (2) it must give the relevant parent undertaking (“A”) a notice in writing.

(7) The notice must—

(a)give details of the direction;

(b)state the supervisory authority's reasons for issuing the direction;

(c)inform A that A may make representations to the supervisory authority within such period as may be specified in the notice (whether or not A has referred the matter to the appropriate tribunal);

(d)inform A of when the direction takes effect; and

(e)inform A of A's right to refer the matter to the appropriate tribunal.

(8) The supervisory authority may extend the period allowed under the notice for making representations.

(9) If, having considered any representations made by A, the supervisory authority decides—

(a)to issue the direction, or

(b)if the direction has been issued, not to rescind the direction,

it must give A notice in writing.

(10) If, having considered any representations made by A, the supervisory authority decides—

(a)not to issue the direction,

(b)to issue a different direction, or

(c)to rescind a direction which has effect,

it must give A notice in writing.

(11) A notice under paragraph (9) must inform A of A's right to refer the matter to the appropriate tribunal.

(12) A notice under paragraph (10)(b) must comply with paragraph (7).

(13) If a notice informs A of A's right to refer a matter to the appropriate tribunal, it must give an indication of the procedure on such a reference.

[F111(13A) The supervisory authority may, if it considers it proportionate to do so, publish such information about a direction given under paragraph (2) as the authority considers appropriate.

(13B) Where the supervisory authority publishes such information and the supervisory authority decides to rescind the direction to which the notice relates, the supervisory authority must, without delay, publish that fact in the same manner as that in which the information was published under paragraph (13A).

(13C) Where the supervisory authority publishes information under paragraph (13A) and the person to whom the notice is given refers the matter to the Upper Tribunal, the supervisory authority must, without delay, publish information about the status of the appeal and its outcome in the same manner as that in which the information was published under paragraph (13A).]

(14) For the purpose of this regulation—

(a)“appropriate tribunal” means—

(i)the Upper Tribunal, in the case of a direction issued by the FCA;

(ii)the First-tier or Upper Tribunal, as provided for in regulation 99, in the case of a direction issued by the Commissioners;

(b)“specified” means specified in the direction.

CHAPTER 3U.K.Ownership and Management Restrictions

Prohibitions and approvalsU.K.

26.—(1) No person may be the beneficial owner, officer or manager of a firm within paragraph (2) (“a relevant firm”), or a sole practitioner within paragraph (2) (“a relevant sole practitioner”), unless that person has been approved as a beneficial owner, officer or manager of the firm or as a sole practitioner by the supervisory authority of the firm or sole practitioner.

(2) The firms and sole practitioners within this paragraph are—

(a)auditors, insolvency practitioners, external accountants and tax advisors;

(b)independent legal professionals;

(c)estate agents [F112and letting agents];

(d)high value dealers;

[F113(e)art market participants.]

(3) A person does not breach the prohibition in paragraph (1) if that person has before 26th June 2018 applied to the supervisory authority for approval under paragraph (6) and that application has not yet been determined.

[F114(3A) A person does not breach the prohibition in paragraph (1) if—

(a)that person became a relevant firm or relevant sole practitioner on 10th January 2020 by virtue of an amendment to these Regulations by the Money Laundering and Terrorist Financing (Amendment) Regulations 2019;

(b)that person has before 10th January 2021 applied to the supervisory authority for approval under paragraph (6); and

(c)that application has not yet been determined.]

(4) A relevant firm must take reasonable care to ensure that no-one is appointed, or continues to act, as an officer or manager of the firm unless—

(a)that person has been approved by the supervisory authority, and the supervisory authority's approval of that person has not ceased to be valid; or

(b)that person has applied for approval of the supervisory authority under paragraph (6) and the application has not yet been determined.

(5) A relevant sole practitioner must not act, or continue to act, as a sole practitioner unless—

(a)that person has been approved by the supervisory authority, and the supervisory authority's approval of that person has not ceased to be valid; or

(b)that person has applied for approval of the supervisory authority under paragraph (6) and the application has not yet been determined.

(6) An application for the approval of the supervisory authority under paragraph (1) may be made by or on behalf of the person concerned.

(7) The application must—

(a)be made in such manner as the supervisory authority may direct;

[F115(b)contain, or be accompanied by—

(i)sufficient information to enable the supervisory authority, if it is a self-regulatory organisation, to determine whether the person concerned has been convicted of a relevant offence; and

(ii)such other information as the supervisory authority may reasonably require.]

(8) The supervisory authority—

(a)must grant an application for approval under paragraph (6) unless the applicant has been convicted of a relevant offence;

(b)may grant an application so as to give approval only for a limited period.

(9) An approval given by a supervisory authority under paragraph (8)—

(a)is not valid if the person approved under paragraph (1) (the “approved person”) has been convicted of a relevant offence;

(b)ceases to be valid if the approved person is subsequently convicted of a relevant offence.

(10) If an approved person (“P”) is convicted of a relevant offence—

(a)P must inform the supervisory authority which approved P of the conviction within 30 days of the day on which P was convicted;

(b)the relevant firm for which P was approved must inform its supervisory authority of the conviction within 30 days of the date on which the firm became aware of P's conviction.

(11) If the beneficial owner of a relevant firm is convicted of a relevant offence, the High Court (or in Scotland the Court of Session) may, on the application of the supervisory authority, order the sale of the beneficial owner's interest in that firm.

(12) A person who, in breach of the prohibition in paragraph (1)—

(a)acts as a manager or officer of a relevant firm or as a relevant sole practitioner; or

(b)is knowingly a beneficial owner of a relevant firm,

is guilty of a criminal offence.

(13) A person who is guilty of a criminal offence under paragraph (12) is liable—

(a)on summary conviction—

(i)in England and Wales, to imprisonment for a term not exceeding three months, to a fine or to both;

(ii)in Scotland or Northern Ireland, to imprisonment for a term not exceeding three months, to a fine not exceeding the statutory maximum or to both;

(b)on conviction on indictment, to imprisonment for a term not exceeding two years, to a fine or to both.

(14) The offences listed in Schedule 3 are relevant offences for the purposes of this regulation.

PART 3U.K.Customer Due Diligence

CHAPTER 1U.K.Customer due diligence: general

Customer due diligenceU.K.

27.—(1) A relevant person must apply customer due diligence measures if the person—

(a)establishes a business relationship;

(b)carries out an occasional transaction that amounts to a transfer of funds within the meaning of Article 3.9 of the funds transfer regulation exceeding 1,000 euros;

(c)suspects money laundering or terrorist financing; or

(d)doubts the veracity or adequacy of documents or information previously obtained for the purposes of identification or verification.

(2) A relevant person who is not [F116a letting agent,] a high value dealer, [F117an art market participant, a cryptoasset exchange provider of the kind referred to in paragraph (7D)] [F118or (7E), a custodian wallet provider of the kind referred to in paragraph (7E)] or a casino must also apply customer due diligence measures if the person carries out an occasional transaction that amounts to 15,000 euros or more, whether the transaction is executed in a single operation or in several operations which appear to be linked.

(3) A high value dealer must also apply customer due diligence measures if that dealer carries out an occasional transaction in cash that amounts to 10,000 euros or more, whether the transaction is executed in a single operation or in several operations which appear to be linked.

(4) A transaction does not cease to be a “transaction in cash” for the purposes of paragraph (3) if cash is paid by or on behalf of a party to the transaction—

(a)to a person other than the other party to the transaction for the benefit of the other party, or

(b)into a bank account for the benefit of the other party to the transaction.

(5) A casino must also apply customer due diligence measures in relation to any transaction within paragraph (6) that amounts to 2,000 euros or more, whether the transaction is executed in a single operation or in several operations which appear to be linked.

(6) A transaction is within this paragraph if it consists of—

(a)the wagering of a stake, including—

(i)the purchase from, or exchange with, the casino of tokens for use in gambling at the casino;

(ii)payment for use of gaming machines (within the meaning of section 235 of the Gambling Act 2005 M58); and

(iii)the deposit of funds required to take part in remote gambling; or

(b)the collection of winnings, including the withdrawal of funds deposited to take part in remote gambling (within the meaning of section 4 of the Gambling Act 2005) or winnings arising from the staking of such funds.

(7) In determining whether a transaction amounts to 2,000 euros or more for the purposes of paragraph (5), no account is to be taken of winnings from a previous transaction which had not been collected from the casino, gaming machine or remote gambling, but are being re-used in the transaction in question.

[F119(7A) A letting agent must also apply customer due diligence measures in relation to any transaction which consists of the conclusion of an agreement for the letting of land (within the meaning given in regulation 13(7))—

(i)for a term of a month or more, and

(ii)at a rent which during at least part of the term is, or is equivalent to, a monthly rent of 10,000 euros or more.

(7B) The letting agent must apply customer due diligence measures under paragraph (7A) in relation to both the person by whom the land is being let, and the person who is renting the land.

(7C) An art market participant must also apply customer due diligence measures—

(a)in relation to any trade in a work of art (within the meaning given in regulation 14), when the firm or sole practitioner carries out, or acts in respect of, any such transaction, or series of linked transactions, whose value amounts to 10,000 euros or more;

(b)in relation to the storage of a work of art (within the meaning given in regulation 14), when it is the operator of a freeport and the value of the works of art so stored for a person, or series of linked persons, amounts to 10,000 euros or more.

(7D) A cryptoasset exchange provider of the kind who operates a machine which utilises automated processes to exchange cryptoassets for money, or money for cryptoassets, must also apply customer due diligence measures in relation to any such transaction carried out using that machine (and for the purposes of this paragraph “money” and “cryptoasset” have the same meanings as they have in regulation 14A(1)).]

[F120(7E) Without prejudice to paragraph (7D), a cryptoasset exchange provider and a custodian wallet provider must also apply customer due diligence measures in relation to a cryptoasset transfer which is equal to or exceeds the equivalent in cryptoassets of 1,000 euros in value (taken together with any other cryptoasset transfer which appears to be linked).]

(8) A relevant person must also apply customer due diligence measures—

[F121(za)when the relevant person has any legal duty in the course of the calendar year to contact an existing customer for the purpose of reviewing any information which—

(i)is relevant to the relevant person’s risk assessment for that customer, and

(ii)relates to the beneficial ownership of the customer, including information which enables the relevant person to understand the ownership or control structure of a legal person, trust, foundation or similar arrangement who is the beneficial owner of the customer;

(zb)when the relevant person has to contact an existing customer in order to fulfil any duty under the International Tax Compliance Regulations 2015 M59;]

(a)at other appropriate times to existing customers on a risk based approach;

(b)when the relevant person becomes aware that the circumstances of an existing customer relevant to its risk assessment for that customer have changed.

(9) For the purposes of paragraph (8), in determining when it is appropriate to take customer due diligence measures in relation to existing customers, a relevant person must take into account, among other things—

(a)any indication that the identity of the customer, or of the customer's beneficial owner, has changed;

(b)any transactions which are not reasonably consistent with the relevant person's knowledge of the customer;

(c)any change in the purpose or intended nature of the relevant person's relationship with the customer;

(d)any other matter which might affect the relevant person's assessment of the money laundering or terrorist financing risk in relation to the customer.

[F122(10) In this regulation, “cryptoasset” and “cryptoasset transfer” have the meanings given by regulation 64B (cryptoasset transfers: interpretation).]

Customer due diligence measuresU.K.

28.—(1) This regulation applies when a relevant person is required by regulation 27 to apply customer due diligence measures.

(2) The relevant person must—

(a)identify the customer unless the identity of that customer is known to, and has been verified by, the relevant person;

(b)verify the customer's identity unless the customer's identity has already been verified by the relevant person; and

(c)assess, and where appropriate obtain information on, the purpose and intended nature of the business relationship or occasional transaction.

(3) Where the customer is a body corporate—

(a)the relevant person must obtain and verify—

(i)the name of the body corporate;

(ii)its company number or other registration number;

(iii)the address of its registered office, and if different, its principal place of business;

(b)subject to paragraph (5), the relevant person must take reasonable measures to determine and verify—

(i)the law to which the body corporate is subject, and its constitution (whether set out in its articles of association or other governing documents);

(ii)the full names of the board of directors (or if there is no board, the members of the equivalent management body) and the senior persons responsible for the operations of the body corporate.

[F123(3A) Where the customer is a legal person, trust, company, foundation or similar legal arrangement the relevant person must take reasonable measures to understand the ownership and control structure of that legal person, trust, company, foundation or similar legal arrangement.]

(4) Subject to paragraph (5), where the customer is beneficially owned by another person, the relevant person must—

(a)identify the beneficial owner;

(b)take reasonable measures to verify the identity of the beneficial owner so that the relevant person is satisfied that it knows who the beneficial owner is; and

(c)if the beneficial owner is a legal person, trust, company, foundation or similar legal arrangement take reasonable measures to understand the ownership and control structure of that legal person, trust, company, foundation or similar legal arrangement.

(5) Paragraphs (3)(b)[F124, (3A)] and (4) do not apply where the customer is a company which is listed on a regulated market.

(6) If the customer is a body corporate, and paragraph (7) applies, the relevant person may treat the senior person in that body corporate responsible for managing it as its beneficial owner.

(7) This paragraph applies if (and only if) the relevant person has exhausted all possible means of identifying the beneficial owner of the body corporate and—

(a)has not succeeded in doing so, or

(b)is not satisfied that the individual identified is in fact the beneficial owner.

[F125(8) If paragraph (7) applies, the relevant person must—

(a)keep records in writing of all the actions it has taken to identify the beneficial owner of the body corporate;

(b)take reasonable measures to verify the identity of the senior person in the body corporate responsible for managing it, and keep records in writing of—

(i)all the actions the relevant person has taken in doing so, and

(ii)any difficulties the relevant person has encountered in doing so.]

(9) Relevant persons do not satisfy their requirements under paragraph (4) by relying solely on the information—

(a)contained in—

(i)the register of people with significant control kept by a company under section 790M of the Companies Act 2006 (duty to keep register) M59;

(ii)the register of people with significant control kept by a limited liability partnership under section 790M of the Companies Act 2006 as modified by regulation 31E of the Limited Liability Partnerships (Application of Companies Act 2006) Regulations 2009 M60; or

(iii)the register of people with significant control kept by a [F126UK Societas] (within the meaning of the Council Regulation 2157/2001/EC of 8 October 2001 on the Statute for a European Company F127...) under section 790M of the Companies Act 2006 as modified by regulation 5 of the European Public Limited Liability Company (Register of People with Significant Control) Regulations 2016 M61;

(b)referred to in sub-paragraph (a) and delivered to the registrar of companies (within the meaning of section 1060(3) of the Companies Act 2006 (the registrar)) under any enactment; or

(c)contained in required particulars in relation to eligible Scottish partnerships delivered to the registrar of companies under regulation 19 of the Scottish Partnerships (Register of People with Significant Control) Regulations 2017 M62.

(10) Where a person (“A”) purports to act on behalf of the customer, the relevant person must—

(a)verify that A is authorised to act on the customer's behalf;

(b)identify A; and

(c)verify A's identity on the basis of documents or information in either case obtained from a reliable source which is independent of both A and the customer.

(11) The relevant person must conduct ongoing monitoring of a business relationship, including—

(a)scrutiny of transactions undertaken throughout the course of the relationship (including, where necessary, the source of funds) to ensure that the transactions are consistent with the relevant person's knowledge of the customer, the customer's business and risk profile;

(b)undertaking reviews of existing records and keeping the documents or information obtained for the purpose of applying customer due diligence measures up-to-date.

(12) The ways in which a relevant person complies with the requirement to take customer due diligence measures, and the extent of the measures taken—

(a)must reflect—

(i)the risk assessment carried out by the relevant person under regulation 18(1);

(ii)its assessment of the level of risk arising in any particular case;

(b)may differ from case to case.

(13) In assessing the level of risk in a particular case, the relevant person must take account of factors including, among other things—

(a)the purpose of an account, transaction or business relationship;

(b)the level of assets to be deposited by a customer or the size of the transactions undertaken by the customer;

(c)the regularity and duration of the business relationship.

(14) If paragraph (15) applies, a relevant person is not required to continue to apply customer due diligence measures under paragraph (2) or (10) in respect of a customer.

(15) This paragraph applies if all the following conditions are met—

(a)a relevant person has taken customer due diligence measures in relation to a customer;

(b)the relevant person makes a disclosure required by—

(i)Part 3 of the Terrorism Act 2000 M63, or

(ii)Part 7 of the Proceeds of Crime Act 2002 M64; and

(c)continuing to apply customer due diligence measures in relation to that customer would result in the commission of an offence by the relevant person under—

(i)section 21D of the Terrorism Act 2000 (tipping off: regulated sector) M65; or

(ii)section 333A of the Proceeds of Crime Act 2002 (tipping off: regulated sector) M66.

(16) The relevant person must be able to demonstrate to its supervisory authority that the extent of the measures it has taken to satisfy its requirements under this regulation are appropriate in view of the risks of money laundering and terrorist financing, including risks—

(a)identified by the risk assessment carried out by the relevant person under regulation 18(1);

(b)identified by its supervisory authority and in information made available to the relevant person under regulations 17(9) and 47.

(17) Paragraph (16) does not apply to the National Savings Bank or the Director of Savings.

(18) For the purposes of this regulation—

(a)except in paragraph (10), “verify” means verify on the basis of documents or information in either case obtained from a reliable source which is independent of the person whose identity is being verified;

(b)documents issued or made available by an official body are to be regarded as being independent of a person even if they are provided or made available to the relevant person by or on behalf of that person.

[F128(19) For the purposes of this regulation, information may be regarded as obtained from a reliable source which is independent of the person whose identity is being verified where—

(a)it is obtained by means of an electronic identification process, including by using electronic identification means or by using a trust service (within the meanings of those terms in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23rd July 2014 on electronic identification and trust services for electronic transactions in the internal market M67); and

(b)that process is secure from fraud and misuse and capable of providing [F129assurance that the person claiming a particular identity is in fact the person with that identity, to a degree that is necessary for effectively managing and mitigating any risks of money laundering and terrorist financing].]

Additional customer due diligence measures: credit institutions and financial institutionsU.K.

29.—(1) This regulation applies in addition to regulation 28 where a relevant person is a credit institution or a financial institution.

(2) Paragraphs (3) to (5) apply if the relevant person is providing a customer with a contract of long-term insurance (“the insurance policy”).

(3) As soon as the beneficiaries of the insurance policy are identified or designated, the relevant person must—

(a)if the beneficiary is a named person or legal arrangement, take the full name of the person or arrangement; or

(b)if the beneficiaries are designated by specified characteristics, as a class or in any other way, obtain sufficient information about the beneficiaries to satisfy itself that it will be able to establish the identity of the beneficiary before any payment is made under the insurance policy.

(4) The relevant person must verify the identity of the beneficiaries (on the basis of documents or information in either case obtained from a reliable source which is independent of the customer and the beneficiaries, and regulation 28(18)(b) applies for the purpose of determining whether a source satisfies this requirement) before any payment is made under the insurance policy.

(5) When the relevant person becomes aware that all or part of the rights under the insurance policy are being, or have been, assigned to an individual, body corporate, trust or other legal arrangement which is receiving the value or part of the value of the insurance policy for its own benefit ( “ the new beneficiary ”), the relevant person must identify the new beneficiary as soon as possible after becoming aware of the assignment, and in any case before a payment is made under the policy.

(6) The relevant person must not set up [F130an anonymous account, an anonymous passbook or an anonymous safe-deposit box] for any new or existing customer.

(7) The relevant person must apply customer due diligence measures to all anonymous accounts and passbooks in existence on the date on which these Regulations come into force, and in any event before such accounts or passbooks are used in any way.

[F131(7A) The relevant person must apply customer due diligence measures to all anonymous safe-deposit boxes in existence on 10th January 2019, and in any event before such safe-deposit boxes are used in any way.]

(8) A relevant person which—

(a)is an open-ended investment company within the meaning of regulation 2(1) of the Open-Ended Investment Companies Regulations 2001 M68; and

(b)is authorised on or after the date on which these Regulations come into force,

may not issue shares evidenced by a share certificate (or any other documentary evidence) indicating that the holder of the certificate or document is entitled to the shares specified in it.

(9) Paragraph (8) does not apply to an open-ended investment company if—

(a)an application for an authorisation order under regulation 12 of the Open-ended Investment Companies Regulations 2001 was made in relation to that open-ended investment company before the date on which these Regulations come into force; and

(b)that application was not determined until a date on or after the date on which these Regulations come into force.

Timing of verificationU.K.

30.—(1) This regulation applies when a relevant person is required to take any measures under regulation 27, 28 or 29.

(2) Subject to paragraph (3) or (4), a relevant person must comply with the requirement to verify the identity of the customer, any person purporting to act on behalf of the customer and any beneficial owner of the customer before the establishment of a business relationship or the carrying out of the transaction.

(3) Provided that the verification is completed as soon as practicable after contact is first established, the verification of the customer, any person purporting to act on behalf of the customer and the customer's beneficial owner, may be completed during the establishment of a business relationship if—

(a)this is necessary not to interrupt the normal conduct of business; and

(b)there is little risk of money laundering and terrorist financing.

(4) The verification by a credit institution or a financial institution of the identity of a customer opening an account, any person purporting to act on behalf of the customer and any beneficial owner of the customer, may take place after the account has been opened provided that there are adequate safeguards in place to ensure that no transactions are carried out by or on behalf of the customer before verification has been completed.

(5) For the purposes of paragraph (4) “account” includes an account which permits transactions in transferable securities.

(6) Paragraph (7) applies if—

(a)the relevant person is required to apply customer due diligence measures in the case of a trust, a legal entity (other than a body corporate) or a legal arrangement (other than a trust); and

(b)the beneficiaries of that trust, entity or arrangement are designated as a class, or by reference to particular characteristics.

(7) If this paragraph applies, the relevant person must establish and verify the identity of any beneficiary before—

(a)any payment is made to the beneficiary; or

(b)the beneficiary exercises its vested rights in the trust, legal entity or legal arrangement.

[F132Requirement to report discrepancies in registersU.K.

30A.—(1) Before establishing a business relationship with—

(a)a company which is subject to the requirements of Part 21A of the Companies Act 2006 (information about people with significant control);

(b)an unregistered company which is subject to the requirements of the Unregistered Companies Regulations 2009;

(c)a limited liability partnership which is subject to the requirements of the Limited Liability Partnerships (Application of Companies Act 2006) Regulations 2009;

(d)an eligible Scottish partnership which is subject to the requirements of the Scottish Partnerships (Register of People with Significant Control) Regulations 2017, F133...

(e)a trust which is subject to registration under Part 5 of these Regulations, [F134or]

[F135(f)an overseas entity which is subject to registration under Part 1 of the Economic Crime (Transparency and Enforcement) Act 2022,]

[F136a relevant person must collect an excerpt of the register which contains full details of any information specified in paragraph (1A) held on the register at the relevant time before the business relationship is established, or must establish from its inspection of the register that there is no such information held on the register at that time.]

[F137(1A) The information specified in this paragraph is as follows—

(a)in relation to a firm of a type described in paragraphs (1)(a) to (e), information relating to beneficial owners of the customer; and

(b)in relation to an overseas entity of a type described in paragraph (1)(f), required information relating to registrable beneficial owners specified under Schedule 1 to the Economic Crime (Transparency and Enforcement) Act 2022.]

(2) The relevant person must report to the person mentioned in paragraph (3) [F138any material discrepancy] the relevant person finds between information relating to the beneficial ownership of the customer—

(a)which the relevant person collects under paragraph (1), and

(b)which otherwise becomes available to the relevant person in the course of carrying out its duties under these Regulations when establishing a business relationship with the customer.

[F139(2A) When taking measures to fulfil the duties to carry out customer due diligence and ongoing monitoring of a business relationship (including enhanced customer due diligence and enhanced ongoing monitoring) under Part 3 of these Regulations after a business relationship with a customer of a type described in paragraph (1)(a) to (f) has been established, a relevant person must also collect an excerpt of the register which contains full details of any information specified in paragraph (1A) which is held on the register at that time, or must establish from its inspection of the register that there is no such information held on the register at that time.

(2B) The relevant person must report to the person mentioned in paragraph (3) any material discrepancy the relevant person finds between information relating to the beneficial ownership of the customer—

(a)which the relevant person collects under paragraph (2A), and

(b)which otherwise becomes available to the relevant person in the course of carrying out its duties under these Regulations.]

(3) [F140A material discrepancy referred to in paragraphs (2) and (2B)] must be reported—

(a)if it relates to a company, an unregistered company, a limited liability partnership [F141, an eligible Scottish partnership or an overseas entity,] to the registrar; or

(b)if it relates to a trust, to the Commissioners.

(4) The relevant person is not required under paragraph (2) [F142or (2B)] to report information which that person would be entitled to refuse to provide on grounds of legal professional privilege in the High Court (or in Scotland, on the ground of confidentiality of communications in the Court of Session).

(5) The person to whom [F143a material discrepancy] is reported must take such action as that person considers appropriate to investigate and, if necessary, resolve the discrepancy in a timely manner.

[F144(6) A discrepancy which is reported to the registrar under paragraph (3) is material excluded from public inspection for the purposes of—

(a)section 1087 of the Companies Act 2006 (material not available for public inspection), including for the purposes of that section as applied—

(i)to unregistered companies by paragraph 20 of Schedule 1 to the Unregistered Companies Regulations 2009;

(ii)to limited liability partnerships by regulation 66 of the Limited Liability Partnerships (Application of Companies Act 2006) Regulations 2009; and

(iii)to eligible Scottish partnerships by regulation 61 of the Scottish Partnerships (Register of People with Significant Control) Regulations 2017; and

(b)section 22 of the Economic Crime (Transparency and Enforcement) Act 2022 (material unavailable for inspection).]

(7) A reference to the registrar in this regulation is to the registrar of companies within the meaning of section 1060(3) of the Companies Act 2006.

[F145(8) In this regulation, a “material discrepancy” is one described in Schedule 3AZA.]]

Requirement to cease transactions etcU.K.

31.—(1) Where, in relation to any customer, a relevant person is unable to apply customer due diligence measures as required by regulation 28, that person—

(a)must not carry out any transaction through a bank account with the customer or on behalf of the customer;

(b)must not establish a business relationship or carry out a transaction with the customer otherwise than through a bank account;

(c)must terminate any existing business relationship with the customer;

(d)must consider whether the relevant person is required to make a disclosure (or to make further disclosure) by—

(i)Part 3 of the Terrorism Act 2000 M69; or

(ii)Part 7 of the Proceeds of Crime Act 2002 M70.

(2) Paragraph (1)(a) does not prevent money deposited in an account being repaid to the person who deposited it, provided that, in any case where a disclosure is required by the legislation referred in paragraph (1)(d), the relevant person has—

(a)consent (within the meaning of section 21ZA of the Terrorism Act 2000 (arrangements with prior consent)) M71 to the transaction, or

(b)the appropriate consent (within the meaning of section 335 of the Proceeds of Crime Act 2002 (appropriate consent)) to the transaction.

(3) Paragraph (1) does not apply where an independent legal professional or other professional adviser is in the course of ascertaining the legal position for a client or performing the task of defending or representing that client in, or concerning, legal proceedings, including giving advice on the institution or avoidance of proceedings.

(4) In paragraph (3), “other professional adviser” means an auditor, external accountant or tax adviser who is a member of a professional body which is established for any such persons and which makes provision for—

(a)testing the competence of those seeking admission to membership of such a body as a condition for such admission; and

(b)imposing and maintaining professional and ethical standards for its members, as well as imposing sanctions for non-compliance with those standards.

(5) Paragraph (1)(a) to (c) does not apply where an insolvency practitioner has been appointed by the court as administrator or liquidator of a company, provided that—

(a)the insolvency practitioner has taken all reasonable steps to satisfy the requirements set out in regulation 28(2) and (10), and

(b)the resignation of the insolvency practitioner would be prejudicial to the interests of the creditors of the company.

Exception for trustees of debt issuesU.K.

32.—(1) A relevant person—

(a)who is appointed by the issuer of instruments or securities specified in paragraph (2) as trustee of an issue of such instruments or securities; or

(b)whose customer is a trustee of an issue of such instruments or securities,

is not required to apply the customer due diligence measure referred to in regulation 28(3) and (4) in respect of the holders of such instruments or securities.

(2) The specified instruments and securities are—

(a)instruments which fall within article 77 or 77A of the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 M72; and

(b)securities which fall within article 78 of that Order M73.

CHAPTER 2U.K.Enhanced customer due diligence

Obligation to apply enhanced customer due diligenceU.K.

33.—(1) A relevant person must apply enhanced customer due diligence measures and enhanced ongoing monitoring, in addition to the customer due diligence measures required under regulation 28 and, if applicable, regulation 29, to manage and mitigate the risks arising—

(a)in any case identified as one where there is a high risk of money laundering or terrorist financing—

(i)by the relevant person under regulation 18(1), or

(ii)in information made available to the relevant person under regulations 17(9) and 47;

(b)in any business relationship F146... with a person established in a high-risk third country [F147or in relation to any relevant transaction where either of the parties to the transaction is established in a high-risk third country];

(c)in relation to correspondent relationships with a credit institution or a financial institution (in accordance with regulation 34);

(d)if a relevant person has determined that a customer or potential customer is a PEP, or a family member or known close associate of a PEP (in accordance with regulation 35);

(e)in any case where the relevant person discovers that a customer has provided false or stolen identification documentation or information and the relevant person proposes to continue to deal with that customer;

[F148(f)in any case where—

(i)a transaction is complex or unusually large,

(ii)there is an unusual pattern of transactions, or

(iii)the transaction or transactions have no apparent economic or legal purpose, and]

(g)in any other case which by its nature can present a higher risk of money laundering or terrorist financing.

(2) Paragraph (1)(b) does not apply when the customer is a branch or majority owned subsidiary undertaking of an entity which is established in [F149a third country] if all the following conditions are satisfied—

[F150(a)the entity is—

(i)subject to requirements in national legislation having an equivalent effect to those laid down in the fourth money laundering directive on an obliged entity (within the meaning of that directive); and

(ii)supervised for compliance with those requirements in a manner equivalent to section 2 of Chapter VI of the fourth money laundering directive;]

(b)the branch or subsidiary complies fully with procedures and policies established for the group under [F151requirements equivalent to those laid down in] Article 45 of the fourth money laundering directive; and

(c)the relevant person, applying a risk-based approach, does not consider that it is necessary to apply enhanced customer due diligence measures.

[F152(3) For the purposes of paragraph (1)(b)—

(a)[F153a “high-risk third country” means a country which is specified in Schedule 3ZA;]

(b)a “relevant transaction” means a transaction in relation to which the relevant person is required to apply customer due diligence measures under regulation 27;

(c)being “established in” a country means—

(i)in the case of a legal person, being incorporated in or having its principal place of business in that country, or, in the case of a financial institution or a credit institution, having its principal regulatory authority in that country; and

(ii)in the case of an individual, being resident in that country, but not merely having been born in that country.]

[F154(3A) The enhanced due diligence measures taken by a relevant person for the purpose of paragraph (1)(b) must include—

(a)obtaining additional information on the customer and on the customer’s beneficial owner;

(b)obtaining additional information on the intended nature of the business relationship;

(c)obtaining information on the source of funds and source of wealth of the customer and of the customer’s beneficial owner;

(d)obtaining information on the reasons for the transactions;

(e)obtaining the approval of senior management for establishing or continuing the business relationship;

(f)conducting enhanced monitoring of the business relationship by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination.]

(4) The enhanced customer due diligence measures taken by a relevant person for the purpose of paragraph (1)(f) must include—

(a)as far as reasonably possible, examining the background and purpose of the transaction, and

(b)increasing the degree and nature of monitoring of the business relationship in which the transaction is made to determine whether that transaction or that relationship appear to be suspicious.

[F155(4A) Where a relevant person provides a life insurance policy, the relevant person must consider the nature and identity of the beneficiary of the policy when assessing whether there is a high risk of money laundering or terrorist financing, and the extent of the measures which should be taken to manage and mitigate that risk.

(4B) Where the beneficiary of a life insurance policy provided by a relevant person—

(a)is a legal person or a legal arrangement, and

(b)presents a high risk of money laundering or terrorist financing,

the relevant person must take reasonable measures to identify and verify the identity of the beneficial owner of that beneficiary before any payment is made under the policy.]

(5) Depending on the requirements of the case, the enhanced customer due diligence measures required under paragraph (1) may also include, among other things—

(a)seeking additional independent, reliable sources to verify information provided or made available to the relevant person;

(b)taking additional measures to understand better the background, ownership and financial situation of the customer, and other parties to the transaction;

(c)taking further steps to be satisfied that the transaction is consistent with the purpose and intended nature of the business relationship;

(d)increasing the monitoring of the business relationship, including greater scrutiny of transactions.

(6) When assessing whether there is a high risk of money laundering or terrorist financing in a particular situation, and the extent of the measures which should be taken to manage and mitigate that risk, relevant persons must take account of risk factors including, among other things—

(a)customer risk factors, including whether—

(i)the business relationship is conducted in unusual circumstances;

(ii)the customer is resident in a geographical area of high risk (see sub-paragraph (c));

(iii)the customer is a legal person or legal arrangement that is a vehicle for holding personal assets;

(iv)the customer is a company that has nominee shareholders or shares in bearer form;

(v)the customer is a business that is cash intensive;

(vi)the corporate structure of the customer is unusual or excessively complex given the nature of the company's business;

[F156(vii)the customer is the beneficiary of a life insurance policy;

(viii)the customer is a third country national who is applying for residence rights in or citizenship of [F157a state] in exchange for transfers of capital, purchase of a property, government bonds or investment in corporate entities in [F158that state];]

(b)product, service, transaction or delivery channel risk factors, including whether—

(i)the product involves private banking;

(ii)the product or transaction is one which might favour anonymity;

(iii)the situation involves non-face-to-face business relationships or transactions, without certain safeguards, such as [F159an electronic identification process which meets the conditions set out in regulation 28(19)];

(iv)payments will be received from unknown or unassociated third parties;

(v)new products and new business practices are involved, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products;

(vi)the service involves the provision of nominee directors, nominee shareholders or shadow directors, or the formation of companies in a third country;

[F160(vii)there is a transaction related to oil, arms, precious metals, tobacco products, cultural artefacts, ivory or other items related to protected species, or other items of archaeological, historical, cultural or religious significance or of rare scientific value;]

(c)geographical risk factors, including—

(i)countries identified by credible sources, such as mutual evaluations, detailed assessment reports or published follow-up reports, as not having effective systems to counter money laundering or terrorist financing;

(ii)countries identified by credible sources as having significant levels of corruption or other criminal activity, such as terrorism (within the meaning of section 1 of the Terrorism Act 2000 M74), money laundering, and the production and supply of illicit drugs;

(iii)countries subject to sanctions, embargos or similar measures issued by, for example, the European Union or the United Nations;

(iv)countries providing funding or support for terrorism;

(v)countries that have organisations operating within their territory which have been designated—

(aa)by the government of the United Kingdom as proscribed organisations under Schedule 2 to the Terrorism Act 2000 M75, or

(bb)by other countries, international organisations or the European Union as terrorist organisations;

(vi)countries identified by credible sources, such as evaluations, detailed assessment reports or published follow-up reports published by the Financial Action Task Force, the International Monetary Fund, the World Bank, the Organisation for Economic Co-operation and Development or other international bodies or non-governmental organisations as not implementing requirements to counter money laundering and terrorist financing that are consistent with the recommendations published by the Financial Action Task Force in February 2012 and updated in [F161June 2019].

(7) In making the assessment referred to in paragraph (6), relevant persons must bear in mind that the presence of one or more risk factors may not always indicate that there is a high risk of money laundering or terrorist financing in a particular situation.

F162(8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Enhanced customer due diligence: credit institutions, financial institutions and correspondent relationshipsU.K.

34.—(1) A credit institution or financial institution (the “correspondent”) which has or proposes to have a correspondent relationship [F163involving the execution of payments] with another such institution (the “respondent”) from a third country must, in addition to the measures required by regulation 33—

(a)gather sufficient information about the respondent to understand fully the nature of its business;

(b)determine from publicly-available information from credible sources the reputation of the respondent and the quality of the supervision to which the respondent is subject;

(c)assess the respondent's controls to counter money laundering and terrorist financing;

(d)obtain approval from senior management before establishing a new correspondent relationship;

(e)document the responsibilities of the respondent and correspondent in the correspondent relationship; and

(f)be satisfied that, in respect of those of the respondent's customers who have direct access to accounts with the correspondent, the respondent—

(i)has verified the identity of, and conducts ongoing customer due diligence measures in relation to, such customers; and

(ii)is able to provide to the correspondent, upon request, the documents or information obtained when applying such customer due diligence measures.

(2) Credit institutions and financial institutions must not enter into, or continue, a correspondent relationship with a shell bank.

(3) Credit institutions and financial institutions must take appropriate enhanced measures to ensure that they do not enter into, or continue, a correspondent relationship with a credit institution or financial institution which is known to allow its accounts to be used by a shell bank.

(4) For the purposes of this regulation—

(a)“correspondent relationship” means—

(i)the provision of banking services by a correspondent to a respondent including providing a current or other liability account and related services, such as cash management, international funds transfers, cheque clearing, providing customers of the respondent with direct access to accounts with the correspondent (and vice versa) and providing foreign exchange services; or

(ii)the relationship between and among credit institutions and financial institutions including where similar services are provided by a correspondent to a respondent, and including relationships established for securities transactions or funds transfers;

(b)a “shell bank” means a credit institution or financial institution, or an institution engaged in equivalent activities to those carried out by credit institutions or financial institutions, incorporated in a jurisdiction in which it has no physical presence involving meaningful decision-making and management, and which is not part of a financial conglomerate or third-country financial conglomerate;

(c)in sub-paragraph (b), “financial conglomerate” and “third-country financial conglomerate” have the meanings given by regulations 1(2) and 7(1) respectively of the Financial Conglomerates and Other Financial Groups Regulations 2004 M76.

Enhanced customer due diligence: politically exposed personsU.K.

35.—(1) A relevant person must have in place appropriate risk-management systems and procedures to determine whether a customer or the beneficial owner of a customer is—

(a)a politically exposed person (a “PEP”); or

(b)a family member or a known close associate of a PEP,

and to manage the enhanced risks arising from the relevant person's business relationship or transactions with such a customer.

(2) In determining what risk-management systems and procedures are appropriate under paragraph (1), the relevant person must take account of—

(a)the risk assessment it carried out under regulation 18(1);

(b)the level of risk of money laundering and terrorist financing inherent in its business;

(c)the extent to which that risk would be increased by its business relationship or transactions with a PEP, or a family member or known close associate of a PEP, and

(d)any relevant information made available to the relevant person under regulations 17(9) and 47.

(3) If a relevant person has determined that a customer or a potential customer is a PEP, or a family member or known close associate of a PEP, the relevant person must assess—

(a)the level of risk associated with that customer, and

(b)the extent of the enhanced customer due diligence measures to be applied in relation to that customer.

(4) In assessing the extent of the enhanced customer due diligence measures to be taken in relation to any particular person (which may differ from case to case), a relevant person—

(a)must take account of any relevant information made available to the relevant person under regulations 17(9) and 47; and

(b)may take into account any guidance which has been—

(i)issued by the FCA; or

(ii)issued by any other supervisory authority or appropriate body and approved by the Treasury.

(5) A relevant person who proposes to have, or to continue, a business relationship with a PEP, or a family member or a known close associate of a PEP, must, in addition to the measures required by regulation 33—

(a)have approval from senior management for establishing or continuing the business relationship with that person;

(b)take adequate measures to establish the source of wealth and source of funds which are involved in the proposed business relationship or transactions with that person; and

(c)where the business relationship is entered into, conduct enhanced ongoing monitoring of the business relationship with that person.

(6) A relevant person which is providing a customer with a contract of long-term insurance (an “insurance policy”) must take reasonable measures to determine whether one or more of the beneficiaries of the insurance policy or the beneficial owner of a beneficiary of such an insurance policy are—

(a)PEPs, or

(b)family members or known close associates of PEPs.

(7) The measures required under paragraph (6) must be taken before—

(a)any payment is made under the insurance policy, or

(b)the benefit of the insurance policy is assigned in whole or in part to another person.

(8) A relevant person must, in addition to the measures required by regulation 33, ensure that—

(a)its senior management is informed before it pays out any sums under an insurance policy the beneficiary of which is a PEP or a person who comes within paragraph (6)(b) in relation to a PEP, and

(b)its entire business relationship with the holder of the insurance policy (“the policy holder”) is scrutinised on an ongoing basis in accordance with enhanced procedures, whether or not the policy holder is a PEP or a family member or known close associate of a PEP.

(9) Where a person who was a PEP is no longer entrusted with a prominent public function, a relevant person must continue to apply the requirements in paragraphs (5) and (8) in relation to that person—

(a)for a period of at least 12 months after the date on which that person ceased to be entrusted with that public function; or

(b)for such longer period as the relevant person considers appropriate to address risks of money laundering or terrorist financing in relation to that person.

(10) Paragraph (9) does not apply in relation to a person who—

(a)was not a politically exposed person within the meaning of regulation 14(5) of the Money Laundering Regulations 2007 M77, when those Regulations were in force; and

(b)ceased to be entrusted with a prominent public function before the date on which these Regulations come into force.

(11) When a person who was a PEP is no longer entrusted with a prominent public function, the relevant person is no longer required to apply the requirements in paragraphs (5) and (8) in relation to a family member or known close associate of that PEP (whether or not the period referred to in paragraph (9) has expired).

(12) In this regulation—

(a)“politically exposed person” or “PEP” means an individual who is entrusted with prominent public functions, other than as a middle-ranking or more junior official;

(b)“family member” of a politically exposed person includes—

(i)a spouse or civil partner of the PEP;

(ii)children of the PEP and the spouses or civil partners of the PEP's children;

(iii)parents of the PEP;

(c)“known close associate” of a PEP means—

(i)an individual known to have joint beneficial ownership of a legal entity or a legal arrangement or any other close business relations with a PEP;

(ii)an individual who has sole beneficial ownership of a legal entity or a legal arrangement which is known to have been set up for the benefit of a PEP.

(13) For the purposes of paragraph (5), a reference to a business relationship with an individual includes a reference to a business relationship with a person of which the individual is a beneficial owner.

(14) For the purposes of paragraphs (9), (11) and (12)(a), individuals entrusted with prominent public functions include—

(a)heads of state, heads of government, ministers and deputy or assistant ministers;

(b)members of parliament or of similar legislative bodies;

(c)members of the governing bodies of political parties;

(d)members of supreme courts, of constitutional courts or of any judicial body the decisions of which are not subject to further appeal except in exceptional circumstances;

(e)members of courts of auditors or of the boards of central banks;

(f)ambassadors, charges d'affaires and high-ranking officers in the armed forces;

(g)members of the administrative, management or supervisory bodies of State-owned enterprises;

(h)directors, deputy directors and members of the board or equivalent function of an international organisation.

(15) For the purpose of deciding whether a person is a known close associate of a politically exposed person, a relevant person need only have regard to information which is in its possession, or to credible information which is publicly available.

Politically exposed persons: other dutiesU.K.

36.—(1) The duty under section 30(1) of the Bank of England and Financial Services Act 2016 (duty to ensure that regulations or orders implementing the fourth money laundering directive comply with paragraphs (a) to (d) of that subsection) M78 does not apply if, and to the extent that, the duty is otherwise satisfied as a result of any provision contained in these Regulations, or any guidance issued by the FCA under these Regulations.

(2) The duty under section 333U(1) and (2) of FSMA (duty to issue guidance in connection with politically exposed persons) M79 does not apply if, and to the extent that, the duty is otherwise satisfied as a result of guidance issued by the FCA under these Regulations.

CHAPTER 3U.K.Simplified customer due diligence

Application of simplified customer due diligenceU.K.

37.—(1) A relevant person may apply simplified customer due diligence measures in relation to a particular business relationship or transaction if it determines that the business relationship or transaction presents a low degree of risk of money laundering and terrorist financing, having taken into account—

(a)the risk assessment it carried out under regulation 18(1);

(b)relevant information made available to it under regulations 17(9) and 47; and

(c)the risk factors referred to in paragraph (3).

(2) Where a relevant person applies simplified customer due diligence measures, it must—

(a)continue to comply with the requirements in [F164regulations 28 and 30A], but it may adjust the extent, timing or type of the measures it undertakes under [F165regulation 28] to reflect its determination under paragraph (1); and

(b)carry out sufficient monitoring of any business relationships or transactions which are subject to those measures to enable it to detect any unusual or suspicious transactions.

(3) When assessing whether there is a low degree of risk of money laundering and terrorist financing in a particular situation, and the extent to which it is appropriate to apply simplified customer due diligence measures in that situation, the relevant person must take account of risk factors including, among other things—

(a)customer risk factors, including whether the customer—

(i)is a public administration, or a publicly owned enterprise;

(ii)is an individual resident in a geographical area of lower risk (see sub-paragraph (c));

(iii)is a credit institution or a financial institution which is—

[F166(aa)subject to requirements in national legislation having an equivalent effect to those laid down in the fourth money laundering directive on an obliged entity (within the meaning of that directive); and]

(bb)supervised for compliance with those requirements [F167in a manner equivalent to] section 2 of Chapter VI of the fourth money laundering directive;

(iv)is a company whose securities are listed on a regulated market, and the location of the regulated market;

(b)product, service, transaction or delivery channel risk factors, including whether the product or service is—

(i)a life insurance policy for which the premium is low;

(ii)an insurance policy for a pension scheme which does not provide for an early surrender option, and cannot be used as collateral;

(iii)a pension, superannuation or similar scheme which satisfies the following conditions—

(aa)the scheme provides retirement benefits to employees;

(bb)contributions to the scheme are made by way of deductions from wages; and

(cc)the scheme rules do not permit the assignment of a member's interest under the scheme;

(iv)a financial product or service that provides appropriately defined and limited services to certain types of customers to increase access for financial inclusion purposes in [F168the United Kingdom];

(v)a product where the risks of money laundering and terrorist financing are managed by other factors such as purse limits or transparency of ownership;

(vi)a child trust fund within the meaning given by section 1(2) of the Child Trust Funds Act 2004 M80;

(vii)a junior ISA within the meaning given by regulation 2B of the Individual Savings Account Regulations 1998 M81;

(c)geographical risk factors, including whether the country where the customer is resident, established or registered or in which it operates is—

(i)[F169the United Kingdom];

(ii)a third country which has effective systems to counter money laundering and terrorist financing;

(iii)a third country identified by credible sources as having a low level of corruption or other criminal activity, such as terrorism (within the meaning of section 1 of the Terrorism Act 2000 M82), money laundering, and the production and supply of illicit drugs;

(iv)a third country which, on the basis of credible sources, such as evaluations, detailed assessment reports or published follow-up reports published by the Financial Action Task Force, the International Monetary Fund, the World Bank, the Organisation for Economic Co-operation and Development or other international bodies or non-governmental organisations—

(aa)has requirements to counter money laundering and terrorist financing that are consistent with the revised Recommendations published by the Financial Action Task Force in February 2012 and updated in October 2016; and

(bb)effectively implements those Recommendations.

(4) In making the assessment referred to in paragraph (3), relevant persons must bear in mind that the presence of one or more risk factors may not always indicate that there is a low risk of money laundering and terrorist financing in a particular situation.

(5) A relevant person may apply simplified customer due diligence measures where the customer is a person to whom paragraph (6) applies and the product is an account into which monies are pooled (the “pooled account”), provided that—

(a)the business relationship with the holder of the pooled account presents a low degree of risk of money laundering and terrorist financing; and

(b)information on the identity of the persons on whose behalf monies are held in the pooled account is available, on request to the relevant person where the pooled account is held.

(6) This paragraph applies to—

(a)a relevant person who is subject to these Regulations under regulation 8;

[F170(b)a person who carries on business in a third country who is—

(i)subject to requirements in national legislation having an equivalent effect to those laid down in the fourth money laundering directive on an obliged entity (within the meaning of that directive); and

(ii)supervised for compliance with those requirements in a manner equivalent to section 2 of Chapter VI of the fourth money laundering directive.]

F171(7) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(8) A relevant person must not continue to apply simplified customer due diligence measures under paragraph (1)—

(a)if it doubts the veracity or accuracy of any documents or information previously obtained for the purposes of identification or verification;

(b)if its risk assessment changes and it no longer considers that there is a low degree of risk of money laundering and terrorist financing;

(c)if it suspects money laundering or terrorist financing; or

(d)if any of the conditions set out in regulation 33(1) apply.

Electronic moneyU.K.

38.—(1) Subject to paragraph (3), a relevant person is not required to apply customer due diligence measures in relation to electronic money, and regulations 27, 28, 30 and 33 to 37 do not apply provided that—

(a)the maximum amount which can be stored electronically is [F172150 euros];

(b)the payment instrument used in connection with the electronic money (“the relevant payment instrument”) is—

(i)not reloadable; or

(ii)is subject to a maximum limit on monthly payment transactions of [F173150 euros] which can only be used in the United Kingdom;

(c)the relevant payment instrument is used exclusively to purchase goods or services;

(d)anonymous electronic money cannot be used to fund the relevant payment instrument.

(2) Paragraph (1) does not apply to any transaction which consists of the redemption in cash, or a cash withdrawal, of the monetary value of the electronic money, [F174where—

(a)the amount redeemed exceeds 50 euros; or

(b)in the case of remote payment transactions, the amount redeemed exceeds 50 euros per transaction.]

(3) The issuer of the relevant payment instrument must carry out sufficient monitoring of its business relationship with the users of electronic money and of transactions made using the relevant payment instrument to enable it to detect any unusual or suspicious transactions.

(4) A relevant person is not prevented from applying simplified customer due diligence measures in relation to electronic money because the conditions set out in paragraph (1) are not satisfied, provided that such measures are permitted under regulation 37.

[F175(4A) Credit institutions and financial institutions, acting as acquirers for payment using an anonymous prepaid card issued in a third country, shall only accept payment where—

(a)the anonymous prepaid card is subject to requirements in national legislation having an equivalent effect to those laid down in this regulation; and

(b)the anonymous prepaid card satisfies those requirements.]

[F176(5) For the purposes of this regulation—

(a)“acquirer” means a payment service provider contracting with a payee to accept and process card-based payment transactions, which result in a transfer of funds to the payee;

(b)“payment instrument” has the meaning given by regulation 2(1) of the Electronic Money Regulations 2011 M83;

(c)“remote payment transaction” has the meaning given by regulation 2 of the Payment Services Regulations 2017 M84.]

PART 4U.K.Reliance and Record-keeping

RelianceU.K.

39.—(1) A relevant person may rely on a person who falls within paragraph (3) (“the third party”) to apply any of the customer due diligence measures required by regulation 28(2) to (6) and (10) [F177, or to carry out any of the measures required by regulation 30A,] but, notwithstanding the relevant person's reliance on the third party, the relevant person remains liable for any failure to apply such measures.

(2) When a relevant person relies on the third party to apply customer due diligence measures [F178or carry out any of the measures required by regulation 30A] under paragraph (1) it—

(a)must immediately obtain from the third party all the information needed to satisfy the requirements of regulation 28(2) to (6) and (10) [F179and regulation 30A] in relation to the customer, customer's beneficial owner, or any person acting on behalf of the customer;

(b)must enter into arrangements with the third party which—

(i)enable the relevant person to obtain from the third party immediately on request copies of any identification and verification data and any other relevant documentation on the identity of the customer, customer's beneficial owner, or any person acting on behalf of the customer;

(ii)require the third party to retain copies of the data and documents referred to in paragraph (i) for the period referred to in regulation 40.

(3) The persons within this paragraph are—

(a)another relevant person who is subject to these Regulations under regulation 8;

F180(b). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(c)a person who carries on business in a third country who is—

(i)subject to requirements in relation to customer due diligence and record keeping which are equivalent to those laid down in the fourth money laundering directive; and

(ii)supervised for compliance with those requirements in a manner equivalent to section 2 of Chapter VI of the fourth money laundering directive;

(d)organisations whose members consist of persons within sub-paragraph (a)F181... or (c).

(4) A relevant person may not rely on a third party established in [F182a high-risk third country], and for these purposes “high-risk third country” has the meaning given in regulation 33(3).

(5) Paragraph (4) does not apply to a branch or majority owned subsidiary of an entity F183... if all the following conditions are met—

[F184(a)the entity is—

(i)a person who is subject to the requirements in these Regulations as a relevant person within the meaning of regulation 8 and who is supervised for compliance with them; or

(ii)subject to requirements in national legislation having an equivalent effect to those laid down in the fourth money laundering directive on an obliged entity (within the meaning of that directive) and supervised for compliance with those requirements in a manner equivalent to section 2 of Chapter VI of the fourth money laundering directive;]

[F185(b)the branch or subsidiary complies fully with procedures and policies established for the group under—

(i)regulation 20 of these Regulations, or

(ii)requirements in national legislation having an equivalent effect to those laid down Article 45 of the fourth money laundering directive.]

(6) A relevant person is to be treated by a supervisory authority as having complied with the requirements of paragraph (2) if—

(a)the relevant person is relying on information provided by a third party which is a member of the same group as the relevant person;

(b)that group applies customer due diligence measures, rules on record keeping and programmes against money laundering and terrorist financing in accordance with these Regulations, the fourth money laundering directive or rules having equivalent effect; and

(c)the effective implementation of the requirements referred to in sub-paragraph (b) is supervised at group level by—

(i)an authority of an EEA state F186... with responsibility for the functions provided for in the fourth money laundering directive; or

(ii)an equivalent authority of a third country.

(7) Nothing in this regulation prevents a relevant person applying customer due diligence measures [F187, or carrying out any of the measures required by regulation 30A,] by means of an agent or an outsourcing service provider provided that the arrangements between the relevant person and the agent or outsourcing service provider provide for the relevant person to remain liable for any failure to apply such measures.

(8) For the purposes of paragraph (7), an “outsourcing service provider” means a person who—

(a)performs a process, a service or an activity that would otherwise be undertaken by the relevant person, and

(b)is not an employee of the relevant person.

Record-keepingU.K.

40.—(1) Subject to paragraph (5), a relevant person must keep the records specified in paragraph (2) for at least the period specified in paragraph (3).

(2) The records are—

(a)a copy of any documents and information obtained by the relevant person to satisfy the customer due diligence requirements in regulations 28, 29 and 33 to 37 [F188and the requirements of regulation 30A] [F189, and of regulations 64C and 64G(1)];

(b)sufficient supporting records (consisting of the original documents or copies) in respect of a transaction (whether or not the transaction is an occasional transaction) which is the subject of customer due diligence measures or ongoing monitoring to enable the transaction to be reconstructed.

[F190(c)in the case of an inter-cryptoasset business transfer, in addition to the records referred to in sub-paragraphs (a) and (b), any documents and information received by an intermediary cryptoasset business and the cryptoasset business of a beneficiary by virtue of the obligations under regulations 64C(1), (2) and (7), or received by them pursuant to a request under regulation 64D(2)(a) or 64E(2)(a); and

(d)in the case of an unhosted wallet transfer, in addition to the records referred to in sub-paragraphs (a) and (b), any documents and information received by a cryptoasset business pursuant to a request under regulation 64G(1).]

(3) Subject to paragraph (4), the period is five years beginning on the date on which the relevant person knows, or has reasonable grounds to believe—

(a)that the transaction is complete, for records relating to an occasional transaction; or

(b)that the business relationship has come to an end for records relating to—

(i)any transaction which occurs as part of a business relationship, or

(ii)customer due diligence measures taken in connection with that relationship.

(4) A relevant person is not required to keep the records referred to in paragraph (3)(b)(i) for more than 10 years.

(5) Once the period referred to in paragraph (3), or if applicable paragraph (4), has expired, the relevant person must delete any personal data obtained for the purposes of these Regulations unless—

(a)the relevant person is required to retain records containing personal data—

(i)by or under any enactment, or

(ii)for the purposes of any court proceedings;

(b)the data subject has given consent to the retention of that data; or

(c)the relevant person has reasonable grounds for believing that records containing the personal data need to be retained for the purpose of legal proceedings.

(6) A relevant person who is relied on by another person must keep the records specified in paragraph (2) for the period referred to in paragraph (3) or, if applicable, paragraph (4).

(7) A person referred to in regulation 39(3) (“A”) who is relied on by a relevant person (“B”) must, if requested by B within the period referred to in paragraph (3) or, if applicable, paragraph (4), immediately—

(a)make available to B any information about the customer, any person purporting to act on behalf of the customer and any beneficial owner of the customer, which A obtained when applying customer due diligence measures; and

(b)forward to B copies of any identification and verification data and other relevant documents on the identity of the customer, any person purporting to act on behalf of the customer and any beneficial owner of the customer, which A obtained when applying those measures.

(8) Paragraph (7) does not apply where a relevant person applies customer due diligence measures by means of an agent or an outsourcing service provider (within the meaning of regulation 39(8)).

(9) For the purposes of this regulation—

(a)B relies on A where B does so in accordance with regulation 39(1);

(b)“copy” means a copy of the original document which would be admissible as evidence of the original document in court proceedings;

[F191(c)“data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

(d)“personal data” has the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).]

[F192(e)“beneficiary”, “cryptoasset business”, “inter-cryptoasset business transfer”, “intermediary cryptoasset business” and “unhosted wallet transfer” have the meanings given by regulation 64B.]

Data ProtectionU.K.

41.—(1) Any personal data obtained by relevant persons for the purposes of these Regulations may only be processed for the purposes of preventing [F193money laundering, terrorist financing or proliferation financing].

F194(2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(3) No other use may be made of personal data referred to in paragraph (1), unless—

(a)use of the data is permitted by or under an enactment other than these Regulations [F195or the [F196UK GDPR]]; or

(b)the relevant person has obtained the consent of the data subject to the proposed use of the data.

F197(4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F197(5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F198(6) Before establishing a business relationship or entering into an occasional transaction with a new customer, as well as providing the customer with the information required under Article 13 of the [F199UK GDPR] (information to be provided where personal data are collected from the data subject), relevant persons must provide the customer with a statement that any personal data received from the customer will be processed only—

(a)for the purposes of preventing [F200money laundering, terrorist financing or proliferation financing], or

(b)as permitted under paragraph (3).

(7) In Article 6(1) of the [F201UK GDPR] (lawfulness of processing), the reference in point (e) to processing of personal data that is necessary for the performance of a task carried out in the public interest includes processing of personal data in accordance with these Regulations that is necessary for the prevention of [F202money laundering, terrorist financing or proliferation financing].

(8) In the case of sensitive processing of personal data for the purposes of the prevention of [F203money laundering, terrorist financing or proliferation financing], section 10 of, and Schedule 1 to, the Data Protection Act 2018 make provision about when the processing meets a requirement in Article 9(2) or 10 of the [F204UK GDPR] for authorisation under the law of the United Kingdom (see, for example, paragraphs 10, 11 and 12 of that Schedule).

(9) In this regulation—

“data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

“personal data” and “processing” have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4) and (14) of that Act);

“sensitive processing” means the processing of personal data described in Article 9(1) or 10 of the [F205UK GDPR] (special categories of personal data and personal data relating to criminal convictions and offences etc).]