The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017

PART 3U.K.Customer Due Diligence

CHAPTER 1U.K.Customer due diligence: general

Customer due diligenceU.K.

27.—(1) A relevant person must apply customer due diligence measures if the person—

(a)establishes a business relationship;

(b)carries out an occasional transaction that amounts to a transfer of funds within the meaning of Article 3.9 of the funds transfer regulation exceeding 1,000 euros;

(c)suspects money laundering or terrorist financing; or

(d)doubts the veracity or adequacy of documents or information previously obtained for the purposes of identification or verification.

(2) A relevant person who is not [F1a letting agent,] a high value dealer, [F2an art market participant, a cryptoasset exchange provider of the kind referred to in paragraph (7D)] [F3or (7E), a custodian wallet provider of the kind referred to in paragraph (7E)] or a casino must also apply customer due diligence measures if the person carries out an occasional transaction that amounts to 15,000 euros or more, whether the transaction is executed in a single operation or in several operations which appear to be linked.

(3) A high value dealer must also apply customer due diligence measures if that dealer carries out an occasional transaction in cash that amounts to 10,000 euros or more, whether the transaction is executed in a single operation or in several operations which appear to be linked.

(4) A transaction does not cease to be a “transaction in cash” for the purposes of paragraph (3) if cash is paid by or on behalf of a party to the transaction—

(a)to a person other than the other party to the transaction for the benefit of the other party, or

(b)into a bank account for the benefit of the other party to the transaction.

(5) A casino must also apply customer due diligence measures in relation to any transaction within paragraph (6) that amounts to 2,000 euros or more, whether the transaction is executed in a single operation or in several operations which appear to be linked.

(6) A transaction is within this paragraph if it consists of—

(a)the wagering of a stake, including—

(i)the purchase from, or exchange with, the casino of tokens for use in gambling at the casino;

(ii)payment for use of gaming machines (within the meaning of section 235 of the Gambling Act 2005 M1); and

(iii)the deposit of funds required to take part in remote gambling; or

(b)the collection of winnings, including the withdrawal of funds deposited to take part in remote gambling (within the meaning of section 4 of the Gambling Act 2005) or winnings arising from the staking of such funds.

(7) In determining whether a transaction amounts to 2,000 euros or more for the purposes of paragraph (5), no account is to be taken of winnings from a previous transaction which had not been collected from the casino, gaming machine or remote gambling, but are being re-used in the transaction in question.

[F4(7A) A letting agent must also apply customer due diligence measures in relation to any transaction which consists of the conclusion of an agreement for the letting of land (within the meaning given in regulation 13(7))—

(i)for a term of a month or more, and

(ii)at a rent which during at least part of the term is, or is equivalent to, a monthly rent of 10,000 euros or more.

(7B) The letting agent must apply customer due diligence measures under paragraph (7A) in relation to both the person by whom the land is being let, and the person who is renting the land.

(7C) An art market participant must also apply customer due diligence measures—

(a)in relation to any trade in a work of art (within the meaning given in regulation 14), when the firm or sole practitioner carries out, or acts in respect of, any such transaction, or series of linked transactions, whose value amounts to 10,000 euros or more;

(b)in relation to the storage of a work of art (within the meaning given in regulation 14), when it is the operator of a freeport and the value of the works of art so stored for a person, or series of linked persons, amounts to 10,000 euros or more.

(7D) A cryptoasset exchange provider of the kind who operates a machine which utilises automated processes to exchange cryptoassets for money, or money for cryptoassets, must also apply customer due diligence measures in relation to any such transaction carried out using that machine (and for the purposes of this paragraph “money” and “cryptoasset” have the same meanings as they have in regulation 14A(1)).]

[F5(7E) Without prejudice to paragraph (7D), a cryptoasset exchange provider and a custodian wallet provider must also apply customer due diligence measures in relation to a cryptoasset transfer which is equal to or exceeds the equivalent in cryptoassets of 1,000 euros in value (taken together with any other cryptoasset transfer which appears to be linked).]

(8) A relevant person must also apply customer due diligence measures—

[F6(za)when the relevant person has any legal duty in the course of the calendar year to contact an existing customer for the purpose of reviewing any information which—

(i)is relevant to the relevant person’s risk assessment for that customer, and

(ii)relates to the beneficial ownership of the customer, including information which enables the relevant person to understand the ownership or control structure of a legal person, trust, foundation or similar arrangement who is the beneficial owner of the customer;

(zb)when the relevant person has to contact an existing customer in order to fulfil any duty under the International Tax Compliance Regulations 2015 M2;]

(a)at other appropriate times to existing customers on a risk based approach;

(b)when the relevant person becomes aware that the circumstances of an existing customer relevant to its risk assessment for that customer have changed.

(9) For the purposes of paragraph (8), in determining when it is appropriate to take customer due diligence measures in relation to existing customers, a relevant person must take into account, among other things—

(a)any indication that the identity of the customer, or of the customer's beneficial owner, has changed;

(b)any transactions which are not reasonably consistent with the relevant person's knowledge of the customer;

(c)any change in the purpose or intended nature of the relevant person's relationship with the customer;

(d)any other matter which might affect the relevant person's assessment of the money laundering or terrorist financing risk in relation to the customer.

[F7(10) In this regulation, “cryptoasset” and “cryptoasset transfer” have the meanings given by regulation 64B (cryptoasset transfers: interpretation).]

Customer due diligence measuresU.K.

28.—(1) This regulation applies when a relevant person is required by regulation 27 to apply customer due diligence measures.

(2) The relevant person must—

(a)identify the customer unless the identity of that customer is known to, and has been verified by, the relevant person;

(b)verify the customer's identity unless the customer's identity has already been verified by the relevant person; and

(c)assess, and where appropriate obtain information on, the purpose and intended nature of the business relationship or occasional transaction.

(3) Where the customer is a body corporate—

(a)the relevant person must obtain and verify—

(i)the name of the body corporate;

(ii)its company number or other registration number;

(iii)the address of its registered office, and if different, its principal place of business;

(b)subject to paragraph (5), the relevant person must take reasonable measures to determine and verify—

(i)the law to which the body corporate is subject, and its constitution (whether set out in its articles of association or other governing documents);

(ii)the full names of the board of directors (or if there is no board, the members of the equivalent management body) and the senior persons responsible for the operations of the body corporate.

[F8(3A) Where the customer is a legal person, trust, company, foundation or similar legal arrangement the relevant person must take reasonable measures to understand the ownership and control structure of that legal person, trust, company, foundation or similar legal arrangement.]

(4) Subject to paragraph (5), where the customer is beneficially owned by another person, the relevant person must—

(a)identify the beneficial owner;

(b)take reasonable measures to verify the identity of the beneficial owner so that the relevant person is satisfied that it knows who the beneficial owner is; and

(c)if the beneficial owner is a legal person, trust, company, foundation or similar legal arrangement take reasonable measures to understand the ownership and control structure of that legal person, trust, company, foundation or similar legal arrangement.

(5) Paragraphs (3)(b)[F9, (3A)] and (4) do not apply where the customer is a company which is listed on a regulated market.

(6) If the customer is a body corporate, and paragraph (7) applies, the relevant person may treat the senior person in that body corporate responsible for managing it as its beneficial owner.

(7) This paragraph applies if (and only if) the relevant person has exhausted all possible means of identifying the beneficial owner of the body corporate and—

(a)has not succeeded in doing so, or

(b)is not satisfied that the individual identified is in fact the beneficial owner.

[F10(8) If paragraph (7) applies, the relevant person must—

(a)keep records in writing of all the actions it has taken to identify the beneficial owner of the body corporate;

(b)take reasonable measures to verify the identity of the senior person in the body corporate responsible for managing it, and keep records in writing of—

(i)all the actions the relevant person has taken in doing so, and

(ii)any difficulties the relevant person has encountered in doing so.]

(9) Relevant persons do not satisfy their requirements under paragraph (4) by relying solely on the information—

(a)contained in—

(i)the register of people with significant control kept by a company under section 790M of the Companies Act 2006 (duty to keep register) M2;

(ii)the register of people with significant control kept by a limited liability partnership under section 790M of the Companies Act 2006 as modified by regulation 31E of the Limited Liability Partnerships (Application of Companies Act 2006) Regulations 2009 M3; or

(iii)the register of people with significant control kept by a [F11UK Societas] (within the meaning of the Council Regulation 2157/2001/EC of 8 October 2001 on the Statute for a European Company F12...) under section 790M of the Companies Act 2006 as modified by regulation 5 of the European Public Limited Liability Company (Register of People with Significant Control) Regulations 2016 M4;

(b)referred to in sub-paragraph (a) and delivered to the registrar of companies (within the meaning of section 1060(3) of the Companies Act 2006 (the registrar)) under any enactment; or

(c)contained in required particulars in relation to eligible Scottish partnerships delivered to the registrar of companies under regulation 19 of the Scottish Partnerships (Register of People with Significant Control) Regulations 2017 M5.

(10) Where a person (“A”) purports to act on behalf of the customer, the relevant person must—

(a)verify that A is authorised to act on the customer's behalf;

(b)identify A; and

(c)verify A's identity on the basis of documents or information in either case obtained from a reliable source which is independent of both A and the customer.

(11) The relevant person must conduct ongoing monitoring of a business relationship, including—

(a)scrutiny of transactions undertaken throughout the course of the relationship (including, where necessary, the source of funds) to ensure that the transactions are consistent with the relevant person's knowledge of the customer, the customer's business and risk profile;

(b)undertaking reviews of existing records and keeping the documents or information obtained for the purpose of applying customer due diligence measures up-to-date.

(12) The ways in which a relevant person complies with the requirement to take customer due diligence measures, and the extent of the measures taken—

(a)must reflect—

(i)the risk assessment carried out by the relevant person under regulation 18(1);

(ii)its assessment of the level of risk arising in any particular case;

(b)may differ from case to case.

(13) In assessing the level of risk in a particular case, the relevant person must take account of factors including, among other things—

(a)the purpose of an account, transaction or business relationship;

(b)the level of assets to be deposited by a customer or the size of the transactions undertaken by the customer;

(c)the regularity and duration of the business relationship.

(14) If paragraph (15) applies, a relevant person is not required to continue to apply customer due diligence measures under paragraph (2) or (10) in respect of a customer.

(15) This paragraph applies if all the following conditions are met—

(a)a relevant person has taken customer due diligence measures in relation to a customer;

(b)the relevant person makes a disclosure required by—

(i)Part 3 of the Terrorism Act 2000 M6, or

(ii)Part 7 of the Proceeds of Crime Act 2002 M7; and

(c)continuing to apply customer due diligence measures in relation to that customer would result in the commission of an offence by the relevant person under—

(i)section 21D of the Terrorism Act 2000 (tipping off: regulated sector) M8; or

(ii)section 333A of the Proceeds of Crime Act 2002 (tipping off: regulated sector) M9.

(16) The relevant person must be able to demonstrate to its supervisory authority that the extent of the measures it has taken to satisfy its requirements under this regulation are appropriate in view of the risks of money laundering and terrorist financing, including risks—

(a)identified by the risk assessment carried out by the relevant person under regulation 18(1);

(b)identified by its supervisory authority and in information made available to the relevant person under regulations 17(9) and 47.

(17) Paragraph (16) does not apply to the National Savings Bank or the Director of Savings.

(18) For the purposes of this regulation—

(a)except in paragraph (10), “verify” means verify on the basis of documents or information in either case obtained from a reliable source which is independent of the person whose identity is being verified;

(b)documents issued or made available by an official body are to be regarded as being independent of a person even if they are provided or made available to the relevant person by or on behalf of that person.

[F13(19) For the purposes of this regulation, information may be regarded as obtained from a reliable source which is independent of the person whose identity is being verified where—

(a)it is obtained by means of an electronic identification process, including by using electronic identification means or by using a trust service (within the meanings of those terms in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23rd July 2014 on electronic identification and trust services for electronic transactions in the internal market M10); and

(b)that process is secure from fraud and misuse and capable of providing [F14assurance that the person claiming a particular identity is in fact the person with that identity, to a degree that is necessary for effectively managing and mitigating any risks of money laundering and terrorist financing].]

Additional customer due diligence measures: credit institutions and financial institutionsU.K.

29.—(1) This regulation applies in addition to regulation 28 where a relevant person is a credit institution or a financial institution.

(2) Paragraphs (3) to (5) apply if the relevant person is providing a customer with a contract of long-term insurance (“the insurance policy”).

(3) As soon as the beneficiaries of the insurance policy are identified or designated, the relevant person must—

(a)if the beneficiary is a named person or legal arrangement, take the full name of the person or arrangement; or

(b)if the beneficiaries are designated by specified characteristics, as a class or in any other way, obtain sufficient information about the beneficiaries to satisfy itself that it will be able to establish the identity of the beneficiary before any payment is made under the insurance policy.

(4) The relevant person must verify the identity of the beneficiaries (on the basis of documents or information in either case obtained from a reliable source which is independent of the customer and the beneficiaries, and regulation 28(18)(b) applies for the purpose of determining whether a source satisfies this requirement) before any payment is made under the insurance policy.

(5) When the relevant person becomes aware that all or part of the rights under the insurance policy are being, or have been, assigned to an individual, body corporate, trust or other legal arrangement which is receiving the value or part of the value of the insurance policy for its own benefit ( “ the new beneficiary ”), the relevant person must identify the new beneficiary as soon as possible after becoming aware of the assignment, and in any case before a payment is made under the policy.

(6) The relevant person must not set up [F15an anonymous account, an anonymous passbook or an anonymous safe-deposit box] for any new or existing customer.

(7) The relevant person must apply customer due diligence measures to all anonymous accounts and passbooks in existence on the date on which these Regulations come into force, and in any event before such accounts or passbooks are used in any way.

[F16(7A) The relevant person must apply customer due diligence measures to all anonymous safe-deposit boxes in existence on 10th January 2019, and in any event before such safe-deposit boxes are used in any way.]

(8) A relevant person which—

(a)is an open-ended investment company within the meaning of regulation 2(1) of the Open-Ended Investment Companies Regulations 2001 M11; and

(b)is authorised on or after the date on which these Regulations come into force,

may not issue shares evidenced by a share certificate (or any other documentary evidence) indicating that the holder of the certificate or document is entitled to the shares specified in it.

(9) Paragraph (8) does not apply to an open-ended investment company if—

(a)an application for an authorisation order under regulation 12 of the Open-ended Investment Companies Regulations 2001 was made in relation to that open-ended investment company before the date on which these Regulations come into force; and

(b)that application was not determined until a date on or after the date on which these Regulations come into force.

Timing of verificationU.K.

30.—(1) This regulation applies when a relevant person is required to take any measures under regulation 27, 28 or 29.

(2) Subject to paragraph (3) or (4), a relevant person must comply with the requirement to verify the identity of the customer, any person purporting to act on behalf of the customer and any beneficial owner of the customer before the establishment of a business relationship or the carrying out of the transaction.

(3) Provided that the verification is completed as soon as practicable after contact is first established, the verification of the customer, any person purporting to act on behalf of the customer and the customer's beneficial owner, may be completed during the establishment of a business relationship if—

(a)this is necessary not to interrupt the normal conduct of business; and

(b)there is little risk of money laundering and terrorist financing.

(4) The verification by a credit institution or a financial institution of the identity of a customer opening an account, any person purporting to act on behalf of the customer and any beneficial owner of the customer, may take place after the account has been opened provided that there are adequate safeguards in place to ensure that no transactions are carried out by or on behalf of the customer before verification has been completed.

(5) For the purposes of paragraph (4) “account” includes an account which permits transactions in transferable securities.

(6) Paragraph (7) applies if—

(a)the relevant person is required to apply customer due diligence measures in the case of a trust, a legal entity (other than a body corporate) or a legal arrangement (other than a trust); and

(b)the beneficiaries of that trust, entity or arrangement are designated as a class, or by reference to particular characteristics.

(7) If this paragraph applies, the relevant person must establish and verify the identity of any beneficiary before—

(a)any payment is made to the beneficiary; or

(b)the beneficiary exercises its vested rights in the trust, legal entity or legal arrangement.

[F17Requirement to report discrepancies in registersU.K.

30A.—(1) Before establishing a business relationship with—

(a)a company which is subject to the requirements of Part 21A of the Companies Act 2006 (information about people with significant control);

(b)an unregistered company which is subject to the requirements of the Unregistered Companies Regulations 2009;

(c)a limited liability partnership which is subject to the requirements of the Limited Liability Partnerships (Application of Companies Act 2006) Regulations 2009;

(d)an eligible Scottish partnership which is subject to the requirements of the Scottish Partnerships (Register of People with Significant Control) Regulations 2017, F18...

(e)a trust which is subject to registration under Part 5 of these Regulations, [F19or]

[F20(f)an overseas entity which is subject to registration under Part 1 of the Economic Crime (Transparency and Enforcement) Act 2022,]

[F21a relevant person must collect an excerpt of the register which contains full details of any information specified in paragraph (1A) held on the register at the relevant time before the business relationship is established, or must establish from its inspection of the register that there is no such information held on the register at that time.]

[F22(1A) The information specified in this paragraph is as follows—

(a)in relation to a firm of a type described in paragraphs (1)(a) to (e), information relating to beneficial owners of the customer; and

(b)in relation to an overseas entity of a type described in paragraph (1)(f), required information relating to registrable beneficial owners specified under Schedule 1 to the Economic Crime (Transparency and Enforcement) Act 2022.]

(2) The relevant person must report to the person mentioned in paragraph (3) [F23any material discrepancy] the relevant person finds between information relating to the beneficial ownership of the customer—

(a)which the relevant person collects under paragraph (1), and

(b)which otherwise becomes available to the relevant person in the course of carrying out its duties under these Regulations when establishing a business relationship with the customer.

[F24(2A) When taking measures to fulfil the duties to carry out customer due diligence and ongoing monitoring of a business relationship (including enhanced customer due diligence and enhanced ongoing monitoring) under Part 3 of these Regulations after a business relationship with a customer of a type described in paragraph (1)(a) to (f) has been established, a relevant person must also collect an excerpt of the register which contains full details of any information specified in paragraph (1A) which is held on the register at that time, or must establish from its inspection of the register that there is no such information held on the register at that time.

(2B) The relevant person must report to the person mentioned in paragraph (3) any material discrepancy the relevant person finds between information relating to the beneficial ownership of the customer—

(a)which the relevant person collects under paragraph (2A), and

(b)which otherwise becomes available to the relevant person in the course of carrying out its duties under these Regulations.]

(3) [F25A material discrepancy referred to in paragraphs (2) and (2B)] must be reported—

(a)if it relates to a company, an unregistered company, a limited liability partnership [F26, an eligible Scottish partnership or an overseas entity,] to the registrar; or

(b)if it relates to a trust, to the Commissioners.

(4) The relevant person is not required under paragraph (2) [F27or (2B)] to report information which that person would be entitled to refuse to provide on grounds of legal professional privilege in the High Court (or in Scotland, on the ground of confidentiality of communications in the Court of Session).

(5) The person to whom [F28a material discrepancy] is reported must take such action as that person considers appropriate to investigate and, if necessary, resolve the discrepancy in a timely manner.

[F29(6) A discrepancy which is reported to the registrar under paragraph (3) is material excluded from public inspection for the purposes of—

(a)section 1087 of the Companies Act 2006 (material not available for public inspection), including for the purposes of that section as applied—

(i)to unregistered companies by paragraph 20 of Schedule 1 to the Unregistered Companies Regulations 2009;

(ii)to limited liability partnerships by regulation 66 of the Limited Liability Partnerships (Application of Companies Act 2006) Regulations 2009; and

(iii)to eligible Scottish partnerships by regulation 61 of the Scottish Partnerships (Register of People with Significant Control) Regulations 2017; and

(b)section 22 of the Economic Crime (Transparency and Enforcement) Act 2022 (material unavailable for inspection).]

(7) A reference to the registrar in this regulation is to the registrar of companies within the meaning of section 1060(3) of the Companies Act 2006.

[F30(8) In this regulation, a “material discrepancy” is one described in Schedule 3AZA.]]

Requirement to cease transactions etcU.K.

31.—(1) Where, in relation to any customer, a relevant person is unable to apply customer due diligence measures as required by regulation 28, that person—

(a)must not carry out any transaction through a bank account with the customer or on behalf of the customer;

(b)must not establish a business relationship or carry out a transaction with the customer otherwise than through a bank account;

(c)must terminate any existing business relationship with the customer;

(d)must consider whether the relevant person is required to make a disclosure (or to make further disclosure) by—

(i)Part 3 of the Terrorism Act 2000 M12; or

(ii)Part 7 of the Proceeds of Crime Act 2002 M13.

(2) Paragraph (1)(a) does not prevent money deposited in an account being repaid to the person who deposited it, provided that, in any case where a disclosure is required by the legislation referred in paragraph (1)(d), the relevant person has—

(a)consent (within the meaning of section 21ZA of the Terrorism Act 2000 (arrangements with prior consent)) M14 to the transaction, or

(b)the appropriate consent (within the meaning of section 335 of the Proceeds of Crime Act 2002 (appropriate consent)) to the transaction.

(3) Paragraph (1) does not apply where an independent legal professional or other professional adviser is in the course of ascertaining the legal position for a client or performing the task of defending or representing that client in, or concerning, legal proceedings, including giving advice on the institution or avoidance of proceedings.

(4) In paragraph (3), “other professional adviser” means an auditor, external accountant or tax adviser who is a member of a professional body which is established for any such persons and which makes provision for—

(a)testing the competence of those seeking admission to membership of such a body as a condition for such admission; and

(b)imposing and maintaining professional and ethical standards for its members, as well as imposing sanctions for non-compliance with those standards.

(5) Paragraph (1)(a) to (c) does not apply where an insolvency practitioner has been appointed by the court as administrator or liquidator of a company, provided that—

(a)the insolvency practitioner has taken all reasonable steps to satisfy the requirements set out in regulation 28(2) and (10), and

(b)the resignation of the insolvency practitioner would be prejudicial to the interests of the creditors of the company.

Exception for trustees of debt issuesU.K.

32.—(1) A relevant person—

(a)who is appointed by the issuer of instruments or securities specified in paragraph (2) as trustee of an issue of such instruments or securities; or

(b)whose customer is a trustee of an issue of such instruments or securities,

is not required to apply the customer due diligence measure referred to in regulation 28(3) and (4) in respect of the holders of such instruments or securities.

(2) The specified instruments and securities are—

(a)instruments which fall within article 77 or 77A of the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 M15; and

(b)securities which fall within article 78 of that Order M16.

CHAPTER 2U.K.Enhanced customer due diligence

Obligation to apply enhanced customer due diligenceU.K.

33.—(1) A relevant person must apply enhanced customer due diligence measures and enhanced ongoing monitoring, in addition to the customer due diligence measures required under regulation 28 and, if applicable, regulation 29, to manage and mitigate the risks arising—

(a)in any case identified as one where there is a high risk of money laundering or terrorist financing—

(i)by the relevant person under regulation 18(1), or

(ii)in information made available to the relevant person under regulations 17(9) and 47;

(b)in any business relationship F31... with a person established in a high-risk third country [F32or in relation to any relevant transaction where either of the parties to the transaction is established in a high-risk third country];

(c)in relation to correspondent relationships with a credit institution or a financial institution (in accordance with regulation 34);

(d)if a relevant person has determined that a customer or potential customer is a PEP, or a family member or known close associate of a PEP (in accordance with regulation 35);

(e)in any case where the relevant person discovers that a customer has provided false or stolen identification documentation or information and the relevant person proposes to continue to deal with that customer;

[F33(f)in any case where—

(i)a transaction is complex or unusually large,

(ii)there is an unusual pattern of transactions, or

(iii)the transaction or transactions have no apparent economic or legal purpose, and]

(g)in any other case which by its nature can present a higher risk of money laundering or terrorist financing.

(2) Paragraph (1)(b) does not apply when the customer is a branch or majority owned subsidiary undertaking of an entity which is established in [F34a third country] if all the following conditions are satisfied—

[F35(a)the entity is—

(i)subject to requirements in national legislation having an equivalent effect to those laid down in the fourth money laundering directive on an obliged entity (within the meaning of that directive); and

(ii)supervised for compliance with those requirements in a manner equivalent to section 2 of Chapter VI of the fourth money laundering directive;]

(b)the branch or subsidiary complies fully with procedures and policies established for the group under [F36requirements equivalent to those laid down in] Article 45 of the fourth money laundering directive; and

(c)the relevant person, applying a risk-based approach, does not consider that it is necessary to apply enhanced customer due diligence measures.

[F37(3) For the purposes of paragraph (1)(b)—

(a)[F38a “high-risk third country” means [F39a country named on either of the following lists published by the Financial Action Task Force as they have effect from time to time—

(i)High-Risk Jurisdictions subject to a Call for Action;

(ii)Jurisdictions under Increased Monitoring;]]

(b)a “relevant transaction” means a transaction in relation to which the relevant person is required to apply customer due diligence measures under regulation 27;

(c)being “established in” a country means—

(i)in the case of a legal person, being incorporated in or having its principal place of business in that country, or, in the case of a financial institution or a credit institution, having its principal regulatory authority in that country; and

(ii)in the case of an individual, being resident in that country, but not merely having been born in that country.]

[F40(3A) The enhanced due diligence measures taken by a relevant person for the purpose of paragraph (1)(b) must include—

(a)obtaining additional information on the customer and on the customer’s beneficial owner;

(b)obtaining additional information on the intended nature of the business relationship;

(c)obtaining information on the source of funds and source of wealth of the customer and of the customer’s beneficial owner;

(d)obtaining information on the reasons for the transactions;

(e)obtaining the approval of senior management for establishing or continuing the business relationship;

(f)conducting enhanced monitoring of the business relationship by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination.]

(4) The enhanced customer due diligence measures taken by a relevant person for the purpose of paragraph (1)(f) must include—

(a)as far as reasonably possible, examining the background and purpose of the transaction, and

(b)increasing the degree and nature of monitoring of the business relationship in which the transaction is made to determine whether that transaction or that relationship appear to be suspicious.

[F41(4A) Where a relevant person provides a life insurance policy, the relevant person must consider the nature and identity of the beneficiary of the policy when assessing whether there is a high risk of money laundering or terrorist financing, and the extent of the measures which should be taken to manage and mitigate that risk.

(4B) Where the beneficiary of a life insurance policy provided by a relevant person—

(a)is a legal person or a legal arrangement, and

(b)presents a high risk of money laundering or terrorist financing,

the relevant person must take reasonable measures to identify and verify the identity of the beneficial owner of that beneficiary before any payment is made under the policy.]

(5) Depending on the requirements of the case, the enhanced customer due diligence measures required under paragraph (1) may also include, among other things—

(a)seeking additional independent, reliable sources to verify information provided or made available to the relevant person;

(b)taking additional measures to understand better the background, ownership and financial situation of the customer, and other parties to the transaction;

(c)taking further steps to be satisfied that the transaction is consistent with the purpose and intended nature of the business relationship;

(d)increasing the monitoring of the business relationship, including greater scrutiny of transactions.

(6) When assessing whether there is a high risk of money laundering or terrorist financing in a particular situation, and the extent of the measures which should be taken to manage and mitigate that risk, relevant persons must take account of risk factors including, among other things—

(a)customer risk factors, including whether—

(i)the business relationship is conducted in unusual circumstances;

(ii)the customer is resident in a geographical area of high risk (see sub-paragraph (c));

(iii)the customer is a legal person or legal arrangement that is a vehicle for holding personal assets;

(iv)the customer is a company that has nominee shareholders or shares in bearer form;

(v)the customer is a business that is cash intensive;

(vi)the corporate structure of the customer is unusual or excessively complex given the nature of the company's business;

[F42(vii)the customer is the beneficiary of a life insurance policy;

(viii)the customer is a third country national who is applying for residence rights in or citizenship of [F43a state] in exchange for transfers of capital, purchase of a property, government bonds or investment in corporate entities in [F44that state];]

(b)product, service, transaction or delivery channel risk factors, including whether—

(i)the product involves private banking;

(ii)the product or transaction is one which might favour anonymity;

(iii)the situation involves non-face-to-face business relationships or transactions, without certain safeguards, such as [F45an electronic identification process which meets the conditions set out in regulation 28(19)];

(iv)payments will be received from unknown or unassociated third parties;

(v)new products and new business practices are involved, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products;

(vi)the service involves the provision of nominee directors, nominee shareholders or shadow directors, or the formation of companies in a third country;

[F46(vii)there is a transaction related to oil, arms, precious metals, tobacco products, cultural artefacts, ivory or other items related to protected species, or other items of archaeological, historical, cultural or religious significance or of rare scientific value;]

(c)geographical risk factors, including—

(i)countries identified by credible sources, such as mutual evaluations, detailed assessment reports or published follow-up reports, as not having effective systems to counter money laundering or terrorist financing;

(ii)countries identified by credible sources as having significant levels of corruption or other criminal activity, such as terrorism (within the meaning of section 1 of the Terrorism Act 2000 M17), money laundering, and the production and supply of illicit drugs;

(iii)countries subject to sanctions, embargos or similar measures issued by, for example, the European Union or the United Nations;

(iv)countries providing funding or support for terrorism;

(v)countries that have organisations operating within their territory which have been designated—

(aa)by the government of the United Kingdom as proscribed organisations under Schedule 2 to the Terrorism Act 2000 M18, or

(bb)by other countries, international organisations or the European Union as terrorist organisations;

(vi)countries identified by credible sources, such as evaluations, detailed assessment reports or published follow-up reports published by the Financial Action Task Force, the International Monetary Fund, the World Bank, the Organisation for Economic Co-operation and Development or other international bodies or non-governmental organisations as not implementing requirements to counter money laundering and terrorist financing that are consistent with the recommendations published by the Financial Action Task Force in February 2012 and updated in [F47June 2019].

(7) In making the assessment referred to in paragraph (6), relevant persons must bear in mind that the presence of one or more risk factors may not always indicate that there is a high risk of money laundering or terrorist financing in a particular situation.

F48(8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Enhanced customer due diligence: credit institutions, financial institutions and correspondent relationshipsU.K.

34.—(1) A credit institution or financial institution (the “correspondent”) which has or proposes to have a correspondent relationship [F49involving the execution of payments] with another such institution (the “respondent”) from a third country must, in addition to the measures required by regulation 33—

(a)gather sufficient information about the respondent to understand fully the nature of its business;

(b)determine from publicly-available information from credible sources the reputation of the respondent and the quality of the supervision to which the respondent is subject;

(c)assess the respondent's controls to counter money laundering and terrorist financing;

(d)obtain approval from senior management before establishing a new correspondent relationship;

(e)document the responsibilities of the respondent and correspondent in the correspondent relationship; and

(f)be satisfied that, in respect of those of the respondent's customers who have direct access to accounts with the correspondent, the respondent—

(i)has verified the identity of, and conducts ongoing customer due diligence measures in relation to, such customers; and

(ii)is able to provide to the correspondent, upon request, the documents or information obtained when applying such customer due diligence measures.

(2) Credit institutions and financial institutions must not enter into, or continue, a correspondent relationship with a shell bank.

(3) Credit institutions and financial institutions must take appropriate enhanced measures to ensure that they do not enter into, or continue, a correspondent relationship with a credit institution or financial institution which is known to allow its accounts to be used by a shell bank.

(4) For the purposes of this regulation—

(a)“correspondent relationship” means—

(i)the provision of banking services by a correspondent to a respondent including providing a current or other liability account and related services, such as cash management, international funds transfers, cheque clearing, providing customers of the respondent with direct access to accounts with the correspondent (and vice versa) and providing foreign exchange services; or

(ii)the relationship between and among credit institutions and financial institutions including where similar services are provided by a correspondent to a respondent, and including relationships established for securities transactions or funds transfers;

(b)a “shell bank” means a credit institution or financial institution, or an institution engaged in equivalent activities to those carried out by credit institutions or financial institutions, incorporated in a jurisdiction in which it has no physical presence involving meaningful decision-making and management, and which is not part of a financial conglomerate or third-country financial conglomerate;

(c)in sub-paragraph (b), “financial conglomerate” and “third-country financial conglomerate” have the meanings given by regulations 1(2) and 7(1) respectively of the Financial Conglomerates and Other Financial Groups Regulations 2004 M19.

Enhanced customer due diligence: politically exposed personsU.K.

35.—(1) A relevant person must have in place appropriate risk-management systems and procedures to determine whether a customer or the beneficial owner of a customer is—

(a)a politically exposed person (a “PEP”); or

(b)a family member or a known close associate of a PEP,

and to manage the enhanced risks arising from the relevant person's business relationship or transactions with such a customer.

(2) In determining what risk-management systems and procedures are appropriate under paragraph (1), the relevant person must take account of—

(a)the risk assessment it carried out under regulation 18(1);

(b)the level of risk of money laundering and terrorist financing inherent in its business;

(c)the extent to which that risk would be increased by its business relationship or transactions with a PEP, or a family member or known close associate of a PEP, and

(d)any relevant information made available to the relevant person under regulations 17(9) and 47.

(3) If a relevant person has determined that a customer or a potential customer is a PEP, or a family member or known close associate of a PEP, the relevant person must assess—

(a)the level of risk associated with that customer, and

(b)the extent of the enhanced customer due diligence measures to be applied in relation to that customer.

[F50(3A) For the purpose of the relevant person’s assessment under paragraph (3), where a customer or potential customer is a domestic PEP, or a family member or a known close associate of a domestic PEP—

(a)the starting point for the assessment is that the customer or potential customer presents a lower level of risk than a non-domestic PEP, and

(b)if no enhanced risk factors are present, the extent of enhanced customer due diligence measures to be applied in relation to that customer or potential customer is less than the extent to be applied in the case of a non-domestic PEP.]

(4) In assessing the extent of the enhanced customer due diligence measures to be taken in relation to any particular person (which may differ from case to case), a relevant person—

(a)must take account of any relevant information made available to the relevant person under regulations 17(9) and 47; and

(b)may take into account any guidance which has been—

(i)issued by the FCA; or

(ii)issued by any other supervisory authority or appropriate body and approved by the Treasury.

(5) A relevant person who proposes to have, or to continue, a business relationship with a PEP, or a family member or a known close associate of a PEP, must, in addition to the measures required by regulation 33—

(a)have approval from senior management for establishing or continuing the business relationship with that person;

(b)take adequate measures to establish the source of wealth and source of funds which are involved in the proposed business relationship or transactions with that person; and

(c)where the business relationship is entered into, conduct enhanced ongoing monitoring of the business relationship with that person.

(6) A relevant person which is providing a customer with a contract of long-term insurance (an “insurance policy”) must take reasonable measures to determine whether one or more of the beneficiaries of the insurance policy or the beneficial owner of a beneficiary of such an insurance policy are—

(a)PEPs, or

(b)family members or known close associates of PEPs.

(7) The measures required under paragraph (6) must be taken before—

(a)any payment is made under the insurance policy, or

(b)the benefit of the insurance policy is assigned in whole or in part to another person.

(8) A relevant person must, in addition to the measures required by regulation 33, ensure that—

(a)its senior management is informed before it pays out any sums under an insurance policy the beneficiary of which is a PEP or a person who comes within paragraph (6)(b) in relation to a PEP, and

(b)its entire business relationship with the holder of the insurance policy (“the policy holder”) is scrutinised on an ongoing basis in accordance with enhanced procedures, whether or not the policy holder is a PEP or a family member or known close associate of a PEP.

(9) Where a person who was a PEP is no longer entrusted with a prominent public function, a relevant person must continue to apply the requirements in paragraphs (5) and (8) in relation to that person—

(a)for a period of at least 12 months after the date on which that person ceased to be entrusted with that public function; or

(b)for such longer period as the relevant person considers appropriate to address risks of money laundering or terrorist financing in relation to that person.

(10) Paragraph (9) does not apply in relation to a person who—

(a)was not a politically exposed person within the meaning of regulation 14(5) of the Money Laundering Regulations 2007 M20, when those Regulations were in force; and

(b)ceased to be entrusted with a prominent public function before the date on which these Regulations come into force.

(11) When a person who was a PEP is no longer entrusted with a prominent public function, the relevant person is no longer required to apply the requirements in paragraphs (5) and (8) in relation to a family member or known close associate of that PEP (whether or not the period referred to in paragraph (9) has expired).

(12) In this regulation—

(a)“politically exposed person” or “PEP” means an individual who is entrusted with prominent public functions, other than as a middle-ranking or more junior official;

(b)“family member” of a politically exposed person includes—

(i)a spouse or civil partner of the PEP;

(ii)children of the PEP and the spouses or civil partners of the PEP's children;

(iii)parents of the PEP;

(c)“known close associate” of a PEP means—

(i)an individual known to have joint beneficial ownership of a legal entity or a legal arrangement or any other close business relations with a PEP;

(ii)an individual who has sole beneficial ownership of a legal entity or a legal arrangement which is known to have been set up for the benefit of a PEP;

[F51(d)“domestic PEP” means a politically exposed person entrusted with prominent public functions by the United Kingdom;

(e)“non-domestic PEP” means a politically exposed person who is not a domestic PEP;

(f)“enhanced risk factors”, in relation to a customer or potential customer who is a domestic PEP or a family member or a known close associate of that domestic PEP, mean risk factors other than the customer’s or potential customer’s position as a domestic PEP or as a family member or a known close associate of that domestic PEP.]

(13) For the purposes of paragraph (5), a reference to a business relationship with an individual includes a reference to a business relationship with a person of which the individual is a beneficial owner.

(14) For the purposes of paragraphs (9), (11) and [F52(12)], individuals entrusted with prominent public functions include—

(a)heads of state, heads of government, ministers and deputy or assistant ministers;

(b)members of parliament or of similar legislative bodies;

(c)members of the governing bodies of political parties;

(d)members of supreme courts, of constitutional courts or of any judicial body the decisions of which are not subject to further appeal except in exceptional circumstances;

(e)members of courts of auditors or of the boards of central banks;

(f)ambassadors, charges d'affaires and high-ranking officers in the armed forces;

(g)members of the administrative, management or supervisory bodies of State-owned enterprises;

(h)directors, deputy directors and members of the board or equivalent function of an international organisation.

(15) For the purpose of deciding whether a person is a known close associate of a politically exposed person, a relevant person need only have regard to information which is in its possession, or to credible information which is publicly available.

Politically exposed persons: other dutiesU.K.

36.—(1) The duty under section 30(1) of the Bank of England and Financial Services Act 2016 (duty to ensure that regulations or orders implementing the fourth money laundering directive comply with paragraphs (a) to (d) of that subsection) M21 does not apply if, and to the extent that, the duty is otherwise satisfied as a result of any provision contained in these Regulations, or any guidance issued by the FCA under these Regulations.

(2) The duty under section 333U(1) and (2) of FSMA (duty to issue guidance in connection with politically exposed persons) M22 does not apply if, and to the extent that, the duty is otherwise satisfied as a result of guidance issued by the FCA under these Regulations.

CHAPTER 3U.K.Simplified customer due diligence

Application of simplified customer due diligenceU.K.

37.—(1) A relevant person may apply simplified customer due diligence measures in relation to a particular business relationship or transaction if it determines that the business relationship or transaction presents a low degree of risk of money laundering and terrorist financing, having taken into account—

(a)the risk assessment it carried out under regulation 18(1);

(b)relevant information made available to it under regulations 17(9) and 47; and

(c)the risk factors referred to in paragraph (3).

(2) Where a relevant person applies simplified customer due diligence measures, it must—

(a)continue to comply with the requirements in [F53regulations 28 and 30A], but it may adjust the extent, timing or type of the measures it undertakes under [F54regulation 28] to reflect its determination under paragraph (1); and

(b)carry out sufficient monitoring of any business relationships or transactions which are subject to those measures to enable it to detect any unusual or suspicious transactions.

(3) When assessing whether there is a low degree of risk of money laundering and terrorist financing in a particular situation, and the extent to which it is appropriate to apply simplified customer due diligence measures in that situation, the relevant person must take account of risk factors including, among other things—

(a)customer risk factors, including whether the customer—

(i)is a public administration, or a publicly owned enterprise;

(ii)is an individual resident in a geographical area of lower risk (see sub-paragraph (c));

(iii)is a credit institution or a financial institution which is—

[F55(aa)subject to requirements in national legislation having an equivalent effect to those laid down in the fourth money laundering directive on an obliged entity (within the meaning of that directive); and]

(bb)supervised for compliance with those requirements [F56in a manner equivalent to] section 2 of Chapter VI of the fourth money laundering directive;

(iv)is a company whose securities are listed on a regulated market, and the location of the regulated market;

(b)product, service, transaction or delivery channel risk factors, including whether the product or service is—

(i)a life insurance policy for which the premium is low;

(ii)an insurance policy for a pension scheme which does not provide for an early surrender option, and cannot be used as collateral;

(iii)a pension, superannuation or similar scheme which satisfies the following conditions—

(aa)the scheme provides retirement benefits to employees;

(bb)contributions to the scheme are made by way of deductions from wages; and

(cc)the scheme rules do not permit the assignment of a member's interest under the scheme;

(iv)a financial product or service that provides appropriately defined and limited services to certain types of customers to increase access for financial inclusion purposes in [F57the United Kingdom];

(v)a product where the risks of money laundering and terrorist financing are managed by other factors such as purse limits or transparency of ownership;

(vi)a child trust fund within the meaning given by section 1(2) of the Child Trust Funds Act 2004 M23;

(vii)a junior ISA within the meaning given by regulation 2B of the Individual Savings Account Regulations 1998 M24;

(c)geographical risk factors, including whether the country where the customer is resident, established or registered or in which it operates is—

(i)[F58the United Kingdom];

(ii)a third country which has effective systems to counter money laundering and terrorist financing;

(iii)a third country identified by credible sources as having a low level of corruption or other criminal activity, such as terrorism (within the meaning of section 1 of the Terrorism Act 2000 M25), money laundering, and the production and supply of illicit drugs;

(iv)a third country which, on the basis of credible sources, such as evaluations, detailed assessment reports or published follow-up reports published by the Financial Action Task Force, the International Monetary Fund, the World Bank, the Organisation for Economic Co-operation and Development or other international bodies or non-governmental organisations—

(aa)has requirements to counter money laundering and terrorist financing that are consistent with the revised Recommendations published by the Financial Action Task Force in February 2012 and updated in October 2016; and

(bb)effectively implements those Recommendations.

(4) In making the assessment referred to in paragraph (3), relevant persons must bear in mind that the presence of one or more risk factors may not always indicate that there is a low risk of money laundering and terrorist financing in a particular situation.

(5) A relevant person may apply simplified customer due diligence measures where the customer is a person to whom paragraph (6) applies and the product is an account into which monies are pooled (the “pooled account”), provided that—

(a)the business relationship with the holder of the pooled account presents a low degree of risk of money laundering and terrorist financing; and

(b)information on the identity of the persons on whose behalf monies are held in the pooled account is available, on request to the relevant person where the pooled account is held.

(6) This paragraph applies to—

(a)a relevant person who is subject to these Regulations under regulation 8;

[F59(b)a person who carries on business in a third country who is—

(i)subject to requirements in national legislation having an equivalent effect to those laid down in the fourth money laundering directive on an obliged entity (within the meaning of that directive); and

(ii)supervised for compliance with those requirements in a manner equivalent to section 2 of Chapter VI of the fourth money laundering directive.]

F60(7) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(8) A relevant person must not continue to apply simplified customer due diligence measures under paragraph (1)—

(a)if it doubts the veracity or accuracy of any documents or information previously obtained for the purposes of identification or verification;

(b)if its risk assessment changes and it no longer considers that there is a low degree of risk of money laundering and terrorist financing;

(c)if it suspects money laundering or terrorist financing; or

(d)if any of the conditions set out in regulation 33(1) apply.

Electronic moneyU.K.

38.—(1) Subject to paragraph (3), a relevant person is not required to apply customer due diligence measures in relation to electronic money, and regulations 27, 28, 30 and 33 to 37 do not apply provided that—

(a)the maximum amount which can be stored electronically is [F61150 euros];

(b)the payment instrument used in connection with the electronic money (“the relevant payment instrument”) is—

(i)not reloadable; or

(ii)is subject to a maximum limit on monthly payment transactions of [F62150 euros] which can only be used in the United Kingdom;

(c)the relevant payment instrument is used exclusively to purchase goods or services;

(d)anonymous electronic money cannot be used to fund the relevant payment instrument.

(2) Paragraph (1) does not apply to any transaction which consists of the redemption in cash, or a cash withdrawal, of the monetary value of the electronic money, [F63where—

(a)the amount redeemed exceeds 50 euros; or

(b)in the case of remote payment transactions, the amount redeemed exceeds 50 euros per transaction.]

(3) The issuer of the relevant payment instrument must carry out sufficient monitoring of its business relationship with the users of electronic money and of transactions made using the relevant payment instrument to enable it to detect any unusual or suspicious transactions.

(4) A relevant person is not prevented from applying simplified customer due diligence measures in relation to electronic money because the conditions set out in paragraph (1) are not satisfied, provided that such measures are permitted under regulation 37.

[F64(4A) Credit institutions and financial institutions, acting as acquirers for payment using an anonymous prepaid card issued in a third country, shall only accept payment where—

(a)the anonymous prepaid card is subject to requirements in national legislation having an equivalent effect to those laid down in this regulation; and

(b)the anonymous prepaid card satisfies those requirements.]

[F65(5) For the purposes of this regulation—

(a)“acquirer” means a payment service provider contracting with a payee to accept and process card-based payment transactions, which result in a transfer of funds to the payee;

(b)“payment instrument” has the meaning given by regulation 2(1) of the Electronic Money Regulations 2011 M26;

(c)“remote payment transaction” has the meaning given by regulation 2 of the Payment Services Regulations 2017 M27.]