16.—(1) The Treasury and the Home Office must make arrangements before 26th June 2018 for a risk assessment to be undertaken to identify, assess, understand and mitigate the risks of money laundering and terrorist financing affecting the United Kingdom (“the risk assessment”).
(2) The risk assessment must, among other things—
(a)identify any areas where relevant persons should apply enhanced customer due diligence measures, and where appropriate, specify the measures to be taken;
(b)identify, where appropriate, the sectors or areas of lower and greater risk of money laundering and terrorist financing;
(c)consider whether any rules on money laundering and terrorist financing made by a supervisory authority applying in relation to the sector it supervises are appropriate in the light of the risks of money laundering and terrorist financing applying to that sector;
(d)provide the information and analysis necessary to enable it to be used for the purposes set out in paragraph (3).
(3) The Treasury and the Home Office must ensure that the risk assessment is used to—
(a)consider the appropriate allocation and prioritisation of resources to counter money laundering and terrorist financing;
(b)consider whether the exclusions provided for in regulation 15 are being abused;
(c)consider whether providers of gambling services other than casinos should continue to be excluded from the requirements of these Regulations.
(4) For the purpose of paragraph (3)(c), a “provider of gambling services” means a person who by way of business provides facilities for gambling within the meaning of section 5 of the Gambling Act 2005 (facilities for gambling)(1).
(5) In undertaking the risk assessment, the Treasury and the Home Office must take account of the reports made by the Commission under Article 6.1 of the fourth money laundering directive.
(6) The Treasury and the Home Office must prepare a joint report setting out, as appropriate, the findings of the risk assessment as soon as reasonably practicable after the risk assessment is completed.
(7) A copy of that report must be laid before Parliament, and sent to—
(a)the PRA;
(b)the supervisory authorities;
(c)the European Commission;
(d)the European Supervisory Authorities; and
(e)each of the other EEA states.
(8) If information from the risk assessment would assist the supervisory authorities in carrying out their own money laundering and terrorist financing risk assessment, the Treasury and the Home Office must, where appropriate, make that information available to those supervisory authorities, unless to do so would not be compatible with restrictions on sharing information imposed by or under the Data Protection Act 1998(2) or any other enactment.
(9) The Treasury and the Home Office must take appropriate steps to ensure that the risk assessment is kept up-to-date.
17.—(1) Each supervisory authority must identify and assess the international and domestic risks of money laundering and terrorist financing to which those relevant persons for which it is the supervisory authority (“its own sector”) are subject.
(2) In carrying out the risk assessment required under paragraph (1), the supervisory authority must take into account—
(a)reports published by the Commission under Article 6.1 of the fourth money laundering directive;
(b)guidelines issued by the European Supervisory Authorities under Articles 17, 18.4 and 48.10 of the fourth money laundering directive;
(c)the report prepared by the Treasury and the Home Office under regulation 16(6); and
(d)information made available by the Treasury and the Home Office under regulation 16(8).
(3) A supervisory authority must keep an up-to-date record in writing of all the steps it has taken under paragraph (1).
(4) Each supervisory authority must develop and record in writing risk profiles for each relevant person in its own sector.
(5) A supervisory authority may prepare a single risk profile under paragraph (4) in relation to two or more relevant persons in its sector, if—
(a)the relevant persons share similar characteristics; and
(b)the risks of money laundering and terrorist financing affecting those relevant persons do not differ significantly.
(6) Where a supervisory authority has prepared a single risk profile for two or more relevant persons in its sector (a “cluster”), the supervisory authority must keep under review whether an individual risk profile should be prepared in relation to any relevant person in the cluster because sub-paragraph (a) or (b) (or both sub-paragraphs) of paragraph (5) are no longer satisfied in relation to that person.
(7) In developing the risk profiles referred to in paragraph (4), the supervisory authority must take full account of the risks that relevant persons in its own sector will not take appropriate action to identify, understand and mitigate money laundering and terrorist financing risks.
(8) Each supervisory authority must review the risk profiles developed under paragraph (4) at regular intervals and following any significant event or developments which might affect the risks to which its own sector is subject, such as—
(a)significant external events that change the nature of the money laundering or terrorist financing risks;
(b)emerging money laundering or terrorist financing risks;
(c)any findings resulting from measures taken by other supervisory authorities;
(d)any changes in the way in which its own sector is operated;
(e)significant changes in regulation.
(9) If information from the risk assessment carried out under paragraph (1), or from information provided to the supervisory authority under regulation 16(8), would assist relevant persons in carrying out their own money laundering and terrorist financing risk assessment, the supervisory authority must, where appropriate, make that information available to those persons, unless to do so would not be compatible with restrictions on sharing information imposed by or under the Data Protection Act 1998(3) or any other enactment.
18.—(1) A relevant person must take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject.
(2) In carrying out the risk assessment required under paragraph (1), a relevant person must take into account—
(a)information made available to them by the supervisory authority under regulations 17(9) and 47, and
(b)risk factors including factors relating to—
(i)its customers;
(ii)the countries or geographic areas in which it operates;
(iii)its products or services;
(iv)its transactions; and
(v)its delivery channels.
(3) In deciding what steps are appropriate under paragraph (1), the relevant person must take into account the size and nature of its business.
(4) A relevant person must keep an up-to-date record in writing of all the steps it has taken under paragraph (1), unless its supervisory authority notifies it in writing that such a record is not required.
(5) A supervisory authority may not give the notification referred to in paragraph (4) unless it considers that the risks of money laundering and terrorist financing applicable to the sector in which the relevant person operates are clear and understood.
(6) A relevant person must provide the risk assessment it has prepared under paragraph (1), the information on which that risk assessment was based and any record required to be kept under paragraph (4), to its supervisory authority on request.
19.—(1) A relevant person must—
(a)establish and maintain policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing identified in any risk assessment undertaken by the relevant person under regulation 18(1);
(b)regularly review and update the policies, controls and procedures established under sub-paragraph (a);
(c)maintain a record in writing of—
(i)the policies, controls and procedures established under sub-paragraph (a);
(ii)any changes to those policies, controls and procedures made as a result of the review and update required by sub-paragraph (b); and
(iii)the steps taken to communicate those policies, controls and procedures, or any changes to them, within the relevant person’s business.
(2) The policies, controls and procedures adopted by a relevant person under paragraph (1) must be—
(a)proportionate with regard to the size and nature of the relevant person’s business, and
(b)approved by its senior management.
(3) The policies, controls and procedures referred to in paragraph (1) must include—
(a)risk management practices;
(b)internal controls (see regulations 21 to 24);
(c)customer due diligence (see regulations 27 to 38);
(d)reliance and record keeping (see regulations 39 to 40);
(e)the monitoring and management of compliance with, and the internal communication of, such policies, controls and procedures.
(4) The policies, controls and procedures referred to in paragraph (1) must include policies, controls and procedures—
(a)which provide for the identification and scrutiny of—
(i)any case where—
(aa)a transaction is complex and unusually large, or there is an unusual pattern of transactions, and
(bb)the transaction or transactions have no apparent economic or legal purpose, and
(ii)any other activity or situation which the relevant person regards as particularly likely by its nature to be related to money laundering or terrorist financing;
(b)which specify the taking of additional measures, where appropriate, to prevent the use for money laundering or terrorist financing of products and transactions which might favour anonymity;
(c)which ensure that when new technology is adopted by the relevant person, appropriate measures are taken in preparation for, and during, the adoption of such technology to assess and if necessary mitigate any money laundering or terrorist financing risks this new technology may cause;
(d)under which anyone in the relevant person’s organisation who knows or suspects (or has reasonable grounds for knowing or suspecting) that a person is engaged in money laundering or terrorist financing as a result of information received in the course of the business or otherwise through carrying on that business is required to comply with—
(i)Part 3 of the Terrorism Act 2000(4); or
(ii)Part 7 of the Proceeds of Crime Act 2002(5);
(e)which, in the case of a money service business that uses agents for the purpose of its business, ensure that appropriate measures are taken by the business to assess—
(i)whether an agent used by the business would satisfy the fit and proper test provided for in regulation 58; and
(ii)the extent of the risk that the agent may be used for money laundering or terrorist financing.
(5) In determining what is appropriate or proportionate with regard to the size and nature of its business, a relevant person may take into account any guidance which has been—
(a)issued by the FCA; or
(b)issued by any other supervisory authority or appropriate body and approved by the Treasury.
(6) A relevant person must, where relevant, communicate the policies, controls and procedures which it establishes and maintains in accordance with this regulation to its branches and subsidiary undertakings which are located outside the United Kingdom.
20.—(1) A relevant parent undertaking must—
(a)ensure that the policies, controls and procedures referred to in regulation 19(1) apply—
(i)to all its subsidiary undertakings, including subsidiary undertakings located outside the United Kingdom; and
(ii)to any branches it has established outside the United Kingdom;
which is carrying out any activity in respect of which the relevant person is subject to these Regulations;
(b)establish and maintain throughout its group the policies, controls and procedures for data protection and sharing information for the purposes of preventing money laundering and terrorist financing with other members of the group;
(c)regularly review and update the policies, controls and procedures applied and established under sub-paragraphs (a) and (b);
(d)maintain a record in writing of—
(i)the policies, controls and procedures established under sub-paragraphs (a) and (b);
(ii)any changes to those policies, controls and procedures made as a result of the review and update required by sub-paragraph (c); and
(iii)the steps taken to communicate those policies, controls and procedures, or any changes to them, to its subsidiary undertakings and branches.
(2) A relevant parent undertaking must ensure that those of its subsidiary undertakings and branches which are established in an EEA state follow the law of that EEA state that implements the fourth money laundering directive.
(3) If any of the subsidiary undertakings or branches of a relevant parent undertaking are established in a third country which does not impose requirements to counter money laundering and terrorist financing as strict as those of the United Kingdom, the relevant parent undertaking must ensure that those subsidiary undertakings and branches apply measures equivalent to those required by these Regulations, as far as permitted under the law of the third country.
(4) Where the law of a third country does not permit the application of such equivalent measures by the subsidiary undertaking or branch established in that country, the relevant parent undertaking must—
(a)inform its supervisory authority accordingly; and
(b)take additional measures to handle the risk of money laundering and terrorist financing effectively.
(5) A relevant parent undertaking must ensure that information relevant to the prevention of money laundering and terrorist financing is shared as appropriate between members of its group, subject to any restrictions on sharing information imposed by or under any enactment or otherwise.
21.—(1) Where appropriate with regard to the size and nature of its business, a relevant person must—
(a)appoint one individual who is a member of the board of directors (or if there is no board, of its equivalent management body) or of its senior management as the officer responsible for the relevant person’s compliance with these Regulations;
(b)carry out screening of relevant employees appointed by the relevant person, both before the appointment is made and during the course of the appointment;
(c)establish an independent audit function with the responsibility—
(i)to examine and evaluate the adequacy and effectiveness of the policies, controls and procedures adopted by the relevant person to comply with the requirements of these Regulations;
(ii)to make recommendations in relation to those policies, controls and procedures; and
(iii)to monitor the relevant person’s compliance with those recommendations.
(2) For the purposes of paragraph (1)(b)—
(a)“screening” means an assessment of—
(i)the skills, knowledge and expertise of the individual to carry out their functions effectively;
(ii)the conduct and integrity of the individual;
(b)a relevant employee is an employee whose work is—
(i)relevant to the relevant person’s compliance with any requirement in these Regulations, or
(ii)otherwise capable of contributing to the—
(aa)identification or mitigation of the risks of money laundering and terrorist financing to which the relevant person’s business is subject, or
(bb)prevention or detection of money laundering and terrorist financing in relation to the relevant person’s business.
(3) An individual in the relevant person’s firm must be appointed as a nominated officer.
(4) A relevant person must, within 14 days of the appointment, inform its supervisory authority of—
(a)the identity of the individual first appointed under paragraph (1)(a);
(b)the identity of the individual first appointed under paragraph (3); and
(c)of any subsequent appointment to either of those positions.
(5) Where a disclosure is made to the nominated officer, that officer must consider it in the light of any relevant information which is available to the relevant person and determine whether it gives rise to knowledge or suspicion or reasonable grounds for knowledge or suspicion that a person is engaged in money laundering or terrorist financing.
(6) Paragraphs (1) and (3) do not apply where the relevant person is an individual who neither employs nor acts in association with any other person.
(7) A relevant person who is an electronic money issuer or a payment service provider must appoint an individual to monitor and manage compliance with, and the internal communication of, the policies, controls and procedures adopted by the relevant person under regulation 19(1), and in particular to—
(a)identify any situations of higher risk of money laundering or terrorist financing;
(b)maintain a record of its policies, controls and procedures, risk assessment and risk management including the application of such policies and procedures;
(c)apply measures to ensure that its policies, controls and procedures are taken into account in all relevant functions including in the development of new products, dealing with new customers and in changes to business activities; and
(d)provide information to senior management about the operation and effectiveness of its policies, controls and procedures whenever appropriate and at least annually.
(8) A relevant person must establish and maintain systems which enable it to respond fully and rapidly to enquiries from any person specified in paragraph (9) as to—
(a)whether it maintains, or has maintained during the previous five years, a business relationship with any person; and
(b)the nature of that relationship.
(9) The persons specified in this paragraph are—
(a)financial investigators accredited under section 3 of the Proceeds of Crime Act 2002 (accreditation and training)(6);
(b)persons acting on behalf of the Scottish Ministers in their capacity as an enforcement authority under that Act; and
(c)constables or equivalent officers of any law enforcement authority.
(10) In determining what is appropriate with regard to the size and nature of its business, a relevant person—
(a)must take into account its risk assessment under regulation 18(1); and
(b)may take into account any guidance which has been—
(i)issued by the FCA; or
(ii)issued by any other supervisory authority or appropriate body and approved by the Treasury.
22.—(1) An electronic money issuer or a payment service provider to which paragraph (2) applies must, if requested by its supervisory authority, appoint a person to act as a central contact point in the United Kingdom for its supervisory authority on any issue relating to the prevention of money laundering or terrorist financing.
(2) This paragraph applies to any electronic money issuer or payment service provider which—
(a)is established in the United Kingdom otherwise than by a branch; and
(b)has its head office in an EEA state other than the United Kingdom.
23.—(1) An authorised person whose supervisory authority is the FCA must, before acting as a money service business or a trust or company service provider or within 28 days of so doing, inform the FCA that it intends, or has begun, to act as such.
(2) Paragraph (1) does not apply to an authorised person which—
(a)immediately before the day on which these Regulations come into force (“the relevant date”) was acting as a money service business or a trust or company service provider and continues to act as such after that date; and
(b)informs the FCA that it is acting as such within 30 days of the relevant date.
(3) Where an authorised person whose supervisory authority is the FCA ceases to act as a money service business or a trust or company service provider, it must within 28 days inform the FCA.
(4) Any requirement imposed by this regulation is to be treated as if it were a requirement imposed by or under FSMA.
(5) Any information to be provided to the FCA under this regulation must be in such form or verified in such manner as it may specify.
24.—(1) A relevant person must—
(a)take appropriate measures to ensure that its relevant employees are—
(i)made aware of the law relating to money laundering and terrorist financing, and to the requirements of data protection, which are relevant to the implementation of these Regulations; and
(ii)regularly given training in how to recognise and deal with transactions and other activities or situations which may be related to money laundering or terrorist financing;
(b)maintain a record in writing of the measures taken under sub-paragraph (a), and in particular, of the training given to its relevant employees.
(2) For the purposes of paragraph (1), a relevant employee is an employee whose work is—
(a)relevant to the relevant person’s compliance with any requirement in these Regulations, or
(b)otherwise capable of contributing to the—
(i)identification or mitigation of the risk of money laundering and terrorist financing to which the relevant person’s business is subject; or
(ii)prevention or detection of money laundering and terrorist financing in relation to the relevant person’s business.
(3) In determining what measures are appropriate under paragraph (1), a relevant person—
(a)must take account of—
(i)the nature of its business;
(ii)its size;
(iii)the nature and extent of the risks of money laundering and terrorist financing to which its business is subject; and
(b)may take into account any guidance which has been—
(i)issued by the FCA; or
(ii)issued by any other supervisory authority or appropriate body and approved by the Treasury.
25.—(1) The supervisory authority must determine whether the additional measures taken under regulation 20(4) by a relevant parent undertaking which is an authorised person or a qualifying parent undertaking (as defined by section 192B of FSMA(7)) are sufficient to handle the risk of money laundering and terrorist financing effectively.
(2) If the supervisory authority does not consider the measures referred to in paragraph (1) to be sufficient, it must consider whether to direct the relevant parent undertaking—
(a)not to enter into a business relationship with a specified person;
(b)not to undertake transactions of a specified description with a specified person;
(c)to terminate an existing business relationship with a specified person;
(d)to cease any operations in the third country.
(e)to ensure that its subsidiary undertaking—
(i)does not enter into a business relationship with a specified person;
(ii)terminates an existing business relationship with a specified person; or
(iii)does not undertake transactions of a specified description with a specified person, or ceases any operations in the third country.
(3) A direction issued under paragraph (2) takes effect—
(a)immediately, if the notice given under paragraph (6) states that that is the case;
(b)on such date as may be specified in the notice; or
(c)if no such date is specified in the notice, when the matter to which the notice relates is no longer open to review.
(4) For the purposes of paragraph (3), a matter to which a notice relates is still open to review if—
(a)the period during which any person may refer the matter to the appropriate tribunal is still running;
(b)the matter has been referred to the appropriate tribunal but has not been dealt with;
(c)the matter has been referred to the appropriate tribunal and dealt with but the period during which an appeal may be brought against the appropriate tribunal’s decision is still running; or
(d)such an appeal has been brought but has not been determined.
(5) Where the FCA proposes to issue a direction under paragraph (2) to a PRA-authorised person or to a person who has a qualifying relationship with a PRA-authorised person, it must consult the PRA.
(6) If the supervisory authority issues a direction under paragraph (2) it must give the relevant parent undertaking (“A”) a notice in writing.
(7) The notice must—
(a)give details of the direction;
(b)state the supervisory authority’s reasons for issuing the direction;
(c)inform A that A may make representations to the supervisory authority within such period as may be specified in the notice (whether or not A has referred the matter to the appropriate tribunal);
(d)inform A of when the direction takes effect; and
(e)inform A of A’s right to refer the matter to the appropriate tribunal.
(8) The supervisory authority may extend the period allowed under the notice for making representations.
(9) If, having considered any representations made by A, the supervisory authority decides—
(a)to issue the direction, or
(b)if the direction has been issued, not to rescind the direction,
it must give A notice in writing.
(10) If, having considered any representations made by A, the supervisory authority decides—
(a)not to issue the direction,
(b)to issue a different direction, or
(c)to rescind a direction which has effect,
it must give A notice in writing.
(11) A notice under paragraph (9) must inform A of A’s right to refer the matter to the appropriate tribunal.
(12) A notice under paragraph (10)(b) must comply with paragraph (7).
(13) If a notice informs A of A’s right to refer a matter to the appropriate tribunal, it must give an indication of the procedure on such a reference.
(14) For the purpose of this regulation—
(a)“appropriate tribunal” means—
(i)the Upper Tribunal, in the case of a direction issued by the FCA;
(ii)the First-tier or Upper Tribunal, as provided for in regulation 99, in the case of a direction issued by the Commissioners;
(b)“specified” means specified in the direction.
2002 c. 29. Section 3 was amended by paragraph 111 of Schedule 8 to the Crime and Courts Act 2013 (c.22), and by paragraph 120 of Schedule 8 and paragraph 1 of Schedule 14 to the Serious Crime Act 2007 (c.27).
Section 192B was inserted, with the rest of Part 12A, by section 27 of the Financial Services Act 2012 (c.21).