The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017

CHAPTER 1Customer due diligence: general

Customer due diligence

27.—(1) A relevant person must apply customer due diligence measures if the person—

(a)establishes a business relationship;

(b)carries out an occasional transaction that amounts to a transfer of funds within the meaning of Article 3.9 of the funds transfer regulation exceeding 1,000 euros;

(c)suspects money laundering or terrorist financing; or

(d)doubts the veracity or adequacy of documents or information previously obtained for the purposes of identification or verification.

(2) A relevant person who is not a high value dealer or a casino must also apply customer due diligence measures if the person carries out an occasional transaction that amounts to 15,000 euros or more, whether the transaction is executed in a single operation or in several operations which appear to be linked.

(3) A high value dealer must also apply customer due diligence measures if that dealer carries out an occasional transaction in cash that amounts to 10,000 euros or more, whether the transaction is executed in a single operation or in several operations which appear to be linked.

(4) A transaction does not cease to be a “transaction in cash” for the purposes of paragraph (3) if cash is paid by or on behalf of a party to the transaction—

(a)to a person other than the other party to the transaction for the benefit of the other party, or

(b)into a bank account for the benefit of the other party to the transaction.

(5) A casino must also apply customer due diligence measures in relation to any transaction within paragraph (6) that amounts to 2,000 euros or more, whether the transaction is executed in a single operation or in several operations which appear to be linked.

(6) A transaction is within this paragraph if it consists of—

(a)the wagering of a stake, including—

(i)the purchase from, or exchange with, the casino of tokens for use in gambling at the casino;

(ii)payment for use of gaming machines (within the meaning of section 235 of the Gambling Act 2005(1)); and

(iii)the deposit of funds required to take part in remote gambling; or

(b)the collection of winnings, including the withdrawal of funds deposited to take part in remote gambling (within the meaning of section 4 of the Gambling Act 2005) or winnings arising from the staking of such funds.

(7) In determining whether a transaction amounts to 2,000 euros or more for the purposes of paragraph (5), no account is to be taken of winnings from a previous transaction which had not been collected from the casino, gaming machine or remote gambling, but are being re-used in the transaction in question.

(8) A relevant person must also apply customer due diligence measures—

(a)at other appropriate times to existing customers on a risk based approach;

(b)when the relevant person becomes aware that the circumstances of an existing customer relevant to its risk assessment for that customer have changed.

(9) For the purposes of paragraph (8), in determining when it is appropriate to take customer due diligence measures in relation to existing customers, a relevant person must take into account, among other things—

(a)any indication that the identity of the customer, or of the customer’s beneficial owner, has changed;

(b)any transactions which are not reasonably consistent with the relevant person’s knowledge of the customer;

(c)any change in the purpose or intended nature of the relevant person’s relationship with the customer;

(d)any other matter which might affect the relevant person’s assessment of the money laundering or terrorist financing risk in relation to the customer.

Customer due diligence measures

28.—(1) This regulation applies when a relevant person is required by regulation 27 to apply customer due diligence measures.

(2) The relevant person must—

(a)identify the customer unless the identity of that customer is known to, and has been verified by, the relevant person;

(b)verify the customer’s identity unless the customer’s identity has already been verified by the relevant person; and

(c)assess, and where appropriate obtain information on, the purpose and intended nature of the business relationship or occasional transaction.

(3) Where the customer is a body corporate—

(a)the relevant person must obtain and verify—

(i)the name of the body corporate;

(ii)its company number or other registration number;

(iii)the address of its registered office, and if different, its principal place of business;

(b)subject to paragraph (5), the relevant person must take reasonable measures to determine and verify—

(i)the law to which the body corporate is subject, and its constitution (whether set out in its articles of association or other governing documents);

(ii)the full names of the board of directors (or if there is no board, the members of the equivalent management body) and the senior persons responsible for the operations of the body corporate.

(4) Subject to paragraph (5), where the customer is beneficially owned by another person, the relevant person must—

(a)identify the beneficial owner;

(b)take reasonable measures to verify the identity of the beneficial owner so that the relevant person is satisfied that it knows who the beneficial owner is; and

(c)if the beneficial owner is a legal person, trust, company, foundation or similar legal arrangement take reasonable measures to understand the ownership and control structure of that legal person, trust, company, foundation or similar legal arrangement.

(5) Paragraphs (3)(b) and (4) do not apply where the customer is a company which is listed on a regulated market.

(6) If the customer is a body corporate, and paragraph (7) applies, the relevant person may treat the senior person in that body corporate responsible for managing it as its beneficial owner.

(7) This paragraph applies if (and only if) the relevant person has exhausted all possible means of identifying the beneficial owner of the body corporate and—

(a)has not succeeded in doing so, or

(b)is not satisfied that the individual identified is in fact the beneficial owner.

(8) If paragraph (7) applies, the relevant person must keep records in writing of all the actions it has taken to identify the beneficial owner of the body corporate.

(9) Relevant persons do not satisfy their requirements under paragraph (4) by relying solely on the information—

(a)contained in—

(i)the register of people with significant control kept by a company under section 790M of the Companies Act 2006 (duty to keep register)(2);

(ii)the register of people with significant control kept by a limited liability partnership under section 790M of the Companies Act 2006 as modified by regulation 31E of the Limited Liability Partnerships (Application of Companies Act 2006) Regulations 2009(3); or

(iii)the register of people with significant control kept by a European Public Limited-Liability Company (within the meaning of the Council Regulation 2157/2001/EC of 8 October 2001 on the Statute for a European Company which is to be, or is, registered in the United Kingdom) under section 790M of the Companies Act 2006 as modified by regulation 5 of the European Public Limited Liability Company (Register of People with Significant Control) Regulations 2016(4);

(b)referred to in sub-paragraph (a) and delivered to the registrar of companies (within the meaning of section 1060(3) of the Companies Act 2006 (the registrar)) under any enactment; or

(c)contained in required particulars in relation to eligible Scottish partnerships delivered to the registrar of companies under regulation 19 of the Scottish Partnerships (Register of People with Significant Control) Regulations 2017(5).

(10) Where a person (“A”) purports to act on behalf of the customer, the relevant person must—

(a)verify that A is authorised to act on the customer’s behalf;

(b)identify A; and

(c)verify A’s identity on the basis of documents or information in either case obtained from a reliable source which is independent of both A and the customer.

(11) The relevant person must conduct ongoing monitoring of a business relationship, including—

(a)scrutiny of transactions undertaken throughout the course of the relationship (including, where necessary, the source of funds) to ensure that the transactions are consistent with the relevant person’s knowledge of the customer, the customer’s business and risk profile;

(b)undertaking reviews of existing records and keeping the documents or information obtained for the purpose of applying customer due diligence measures up-to-date.

(12) The ways in which a relevant person complies with the requirement to take customer due diligence measures, and the extent of the measures taken—

(a)must reflect—

(i)the risk assessment carried out by the relevant person under regulation 18(1);

(ii)its assessment of the level of risk arising in any particular case;

(b)may differ from case to case.

(13) In assessing the level of risk in a particular case, the relevant person must take account of factors including, among other things—

(a)the purpose of an account, transaction or business relationship;

(b)the level of assets to be deposited by a customer or the size of the transactions undertaken by the customer;

(c)the regularity and duration of the business relationship.

(14) If paragraph (15) applies, a relevant person is not required to continue to apply customer due diligence measures under paragraph (2) or (10) in respect of a customer.

(15) This paragraph applies if all the following conditions are met—

(a)a relevant person has taken customer due diligence measures in relation to a customer;

(b)the relevant person makes a disclosure required by—

(i)Part 3 of the Terrorism Act 2000(6), or

(ii)Part 7 of the Proceeds of Crime Act 2002(7); and

(c)continuing to apply customer due diligence measures in relation to that customer would result in the commission of an offence by the relevant person under—

(i)section 21D of the Terrorism Act 2000 (tipping off: regulated sector)(8); or

(ii)section 333A of the Proceeds of Crime Act 2002 (tipping off: regulated sector)(9).

(16) The relevant person must be able to demonstrate to its supervisory authority that the extent of the measures it has taken to satisfy its requirements under this regulation are appropriate in view of the risks of money laundering and terrorist financing, including risks—

(a)identified by the risk assessment carried out by the relevant person under regulation 18(1);

(b)identified by its supervisory authority and in information made available to the relevant person under regulations 17(9) and 47.

(17) Paragraph (16) does not apply to the National Savings Bank or the Director of Savings.

(18) For the purposes of this regulation—

(a)except in paragraph (10), “verify” means verify on the basis of documents or information in either case obtained from a reliable source which is independent of the person whose identity is being verified;

(b)documents issued or made available by an official body are to be regarded as being independent of a person even if they are provided or made available to the relevant person by or on behalf of that person.

Additional customer due diligence measures: credit institutions and financial institutions

29.—(1) This regulation applies in addition to regulation 28 where a relevant person is a credit institution or a financial institution.

(2) Paragraphs (3) to (5) apply if the relevant person is providing a customer with a contract of long-term insurance (“the insurance policy”).

(3) As soon as the beneficiaries of the insurance policy are identified or designated, the relevant person must—

(a)if the beneficiary is a named person or legal arrangement, take the full name of the person or arrangement; or

(b)if the beneficiaries are designated by specified characteristics, as a class or in any other way, obtain sufficient information about the beneficiaries to satisfy itself that it will be able to establish the identity of the beneficiary before any payment is made under the insurance policy.

(4) The relevant person must verify the identity of the beneficiaries (on the basis of documents or information in either case obtained from a reliable source which is independent of the customer and the beneficiaries, and regulation 28(18)(b) applies for the purpose of determining whether a source satisfies this requirement) before any payment is made under the insurance policy.

(5) When the relevant person becomes aware that all or part of the rights under the insurance policy are being, or have been, assigned to an individual, body corporate, trust or other legal arrangement which is receiving the value or part of the value of the insurance policy for its own benefit (“the new beneficiary”), the relevant person must identify the new beneficiary as soon as possible after becoming aware of the assignment, and in any case before a payment is made under the policy.

(6) The relevant person must not set up an anonymous account or an anonymous passbook for any new or existing customer.

(7) The relevant person must apply customer due diligence measures to all anonymous accounts and passbooks in existence on the date on which these Regulations come into force, and in any event before such accounts or passbooks are used in any way.

(8) A relevant person which—

(a)is an open-ended investment company within the meaning of regulation 2(1) of the Open-Ended Investment Companies Regulations 2001(10); and

(b)is authorised on or after the date on which these Regulations come into force,

may not issue shares evidenced by a share certificate (or any other documentary evidence) indicating that the holder of the certificate or document is entitled to the shares specified in it.

(9) Paragraph (8) does not apply to an open-ended investment company if—

(a)an application for an authorisation order under regulation 12 of the Open-ended Investment Companies Regulations 2001 was made in relation to that open-ended investment company before the date on which these Regulations come into force; and

(b)that application was not determined until a date on or after the date on which these Regulations come into force.

Timing of verification

30.—(1) This regulation applies when a relevant person is required to take any measures under regulation 27, 28 or 29.

(2) Subject to paragraph (3) or (4), a relevant person must comply with the requirement to verify the identity of the customer, any person purporting to act on behalf of the customer and any beneficial owner of the customer before the establishment of a business relationship or the carrying out of the transaction.

(3) Provided that the verification is completed as soon as practicable after contact is first established, the verification of the customer, any person purporting to act on behalf of the customer and the customer’s beneficial owner, may be completed during the establishment of a business relationship if—

(a)this is necessary not to interrupt the normal conduct of business; and

(b)there is little risk of money laundering and terrorist financing.

(4) The verification by a credit institution or a financial institution of the identity of a customer opening an account, any person purporting to act on behalf of the customer and any beneficial owner of the customer, may take place after the account has been opened provided that there are adequate safeguards in place to ensure that no transactions are carried out by or on behalf of the customer before verification has been completed.

(5) For the purposes of paragraph (4) “account” includes an account which permits transactions in transferable securities.

(6) Paragraph (7) applies if—

(a)the relevant person is required to apply customer due diligence measures in the case of a trust, a legal entity (other than a body corporate) or a legal arrangement (other than a trust); and

(b)the beneficiaries of that trust, entity or arrangement are designated as a class, or by reference to particular characteristics.

(7) If this paragraph applies, the relevant person must establish and verify the identity of any beneficiary before—

(a)any payment is made to the beneficiary; or

(b)the beneficiary exercises its vested rights in the trust, legal entity or legal arrangement.

Requirement to cease transactions etc

31.—(1) Where, in relation to any customer, a relevant person is unable to apply customer due diligence measures as required by regulation 28, that person—

(a)must not carry out any transaction through a bank account with the customer or on behalf of the customer;

(b)must not establish a business relationship or carry out a transaction with the customer otherwise than through a bank account;

(c)must terminate any existing business relationship with the customer;

(d)must consider whether the relevant person is required to make a disclosure (or to make further disclosure) by—

(i)Part 3 of the Terrorism Act 2000(11); or

(ii)Part 7 of the Proceeds of Crime Act 2002(12).

(2) Paragraph (1)(a) does not prevent money deposited in an account being repaid to the person who deposited it, provided that, in any case where a disclosure is required by the legislation referred in paragraph (1)(d), the relevant person has—

(a)consent (within the meaning of section 21ZA of the Terrorism Act 2000 (arrangements with prior consent))(13) to the transaction, or

(b)the appropriate consent (within the meaning of section 335 of the Proceeds of Crime Act 2002 (appropriate consent)) to the transaction.

(3) Paragraph (1) does not apply where an independent legal professional or other professional adviser is in the course of ascertaining the legal position for a client or performing the task of defending or representing that client in, or concerning, legal proceedings, including giving advice on the institution or avoidance of proceedings.

(4) In paragraph (3), “other professional adviser” means an auditor, external accountant or tax adviser who is a member of a professional body which is established for any such persons and which makes provision for—

(a)testing the competence of those seeking admission to membership of such a body as a condition for such admission; and

(b)imposing and maintaining professional and ethical standards for its members, as well as imposing sanctions for non-compliance with those standards.

(5) Paragraph (1)(a) to (c) does not apply where an insolvency practitioner has been appointed by the court as administrator or liquidator of a company, provided that—

(a)the insolvency practitioner has taken all reasonable steps to satisfy the requirements set out in regulation 28(2) and (10), and

(b)the resignation of the insolvency practitioner would be prejudicial to the interests of the creditors of the company.

Exception for trustees of debt issues

32.—(1) A relevant person—

(a)who is appointed by the issuer of instruments or securities specified in paragraph (2) as trustee of an issue of such instruments or securities; or

(b)whose customer is a trustee of an issue of such instruments or securities,

is not required to apply the customer due diligence measure referred to in regulation 28(3) and (4) in respect of the holders of such instruments or securities.

(2) The specified instruments and securities are—

(a)instruments which fall within article 77 or 77A of the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001(14); and

(b)securities which fall within article 78 of that Order(15).