AML Compliance Requirements in UK
AML Compliance Requirements in UK
UK’s Anti-Money Laundering (AML) regime is an extensive set of laws, regulations, guidance, etc. that seeks to protect its financial systems from financial crimes such as Money Laundering (ML), Terrorism Financing (TF), and Proliferation Financing (PF). UK’s AML regime includes several obligations that Relevant Persons, as defined under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), must adhere to. In this infographic, we’ll break down AML compliance requirements for Relevant Persons in UK. These compliance obligations include the following:
1. Registration of the Relevant Person:
Relevant Persons need to register with their respective Supervisory Authority.
2. Appointment of Nominated Officer and CO:
Relevant Persons must appoint the following personnel:
- Nominated Officer: The Nominated Officer is in charge of receiving internal disclosures regarding the detection of ML/TF/PF activities and submitting an external Suspicious Activity Report (SAR) to the Financial Intelligence Unit of UK.
- Compliance Officer: The Compliance Officer is a member of senior management or board of directors that oversees the Relevant Person’s compliance under MLR 2017.
3. AML Firm-Wide Risk Assessment and Its Update:
AML Firm-Wide Risk Assessment (FWRA) is the process of identifying and evaluating a Relevant Person’s ML/TF/PF risk exposure by a range of risk factors such as its customers, delivery channels, its own nature and size, etc. FWRA must be documented and regularly updated. Firm-Wide Risk Assessment is also known as ML/TF Risk Assessment, Business Risk Assessment, Entity Wide Risk Assessment, Enterprise Wide Risk Assessment, Practice-Wide Risk Assessment, etc.
4. Define and Regularly Update Internal Policies, Procedures, and Controls:
Relevant Persons need to frame and implement their internal AML Policies, Procedures, and Controls in order to establish AML processes in their organisational structure and comply with AML obligations. Refer to our infographic on General Components of AML Policies, Controls, and Procedures for detailed information.
5. Customer Identification and Verification or KYC:
Under MLR 2017, Relevant Persons are required to identify and verify the identities of their customers, Beneficial Owners of their customers and persons acting on behalf of the customer. This process is called customer identification and verification or Know Your Customer (KYC).
6. Screening:
Screening is the process through which Relevant Persons check the names of their customers against UK sanctions lists as prescribed by the Office of Financial Sanctions Implementation (OFSI) and other authorities to check whether their customers are sanctioned.
If an existing customer is found to be sanctioned, that is, sanctions screening resulted in a target match, the following steps must be taken:
- Freeze funds and economic resources of the customer
- Refrain from dealing with the funds of the designated person
- Report to OFSI
- Classify the customer as high-risk
If the target match found is of a potential customer, the following steps must be taken:
- Reject customer
- Report to OFSI
- Classify the customer as high-risk
If a potential target match is found, that is, not a full name match but a partial match, the following steps must be taken:
- Contact OFSI for assistance
- Classify the customer as high-risk
If no sanctions match is found, the Relevant Person can proceed with the next steps of the AML compliance process.
7. Risk Profiling:
Relevant Persons must conduct Customer Risk Assessment (CRA), which is the process of assessing the ML/TF/PF risks a customer poses to the business. CRA helps Relevant Persons build a customer risk profile and categorise them as low risk, high risk, or medium risk. Using CRA results, Relevant Persons can decide the type of Customer Due Diligence (CDD) measures that should be applied to a customer. When conducting CRA, Relevant Persons should take into consideration factors such as a customer’s behaviour, their structure (when the customer is a legal person), screening results, geography, products, transactions, delivery channel, etc.
8. Enhanced Due Diligence:
During the CRA, when a customer has been assessed to pose a high risk of ML/TF/PF, Relevant Persons are required to conduct Enhanced Due Diligence (EDD) for such customers. EDD involves measures such as enhanced customer identification and verification, Source of Funds and Source of Wealth verification, seeking approval of senior management before onboarding, etc.
9. Ongoing Monitoring:
Ongoing monitoring of business relationship must be conducted, particularly of CDD records and transactions. This is to ensure that any change in client information or any suspicious transactions are promptly detected.
10. Submit SAR using SAR Portal:
Whenever the AML Compliance Officer receives internal disclosure regarding suspicion of ML/TF/PF activities and ascertains that the same is genuine, the suspicion must be reported to the UK FIU housed in National Crime Agency by filing a Suspicious Activity Report.
If the Relevant Person intends to proceed with a business relationship, despite potential ML/TF risk, the AML Compliance Officer must submit a Defence Against Money Laundering (DAML) or Defence Against Terrorist Financing (DATF) request as part of the SAR.
11. Repeat Process:
Whenever there is a change in client information, or for example, if an existing customer becomes a Politically Exposed Person (PEP) or a customer’s country of residence becomes Grey-Listed by the Financial Action Task Force (FATF), CDD including customer identification and verification, CRA, risk profiling, etc, needs to be reconducted.
12. Record Keeping:
Relevant Persons must maintain certain records as part of their AML compliance process. Under MLR 2017, records have to be maintained for a minimum of five years. However, for records pertaining to transactions occurring as part of a business relationship or CDD, measures taken as part of that relationship are not required to be maintained for more than 10 years.
13. Other Requirements:
Apart from the ones mentioned above, other AML compliance requirements include
- Employee Screening
- Staff Awareness and Training
- Establishing an independent audit function
- Complying with the Data Protection Act 2018
For more details on these requirements and framing an AML Program to implement them, read our one-stop guide to AML/CTF/CPF Program.
AML Compliance Requirements in UK: Concluding Remarks
In this infographic, we have simplified the AML compliance requirements for Relevant Persons in UK. Adhering to these requirements protects Relevant Persons from risks of AML non-compliance as well as helps them stay ahead of financial criminals seeking to misuse their products and services for financial crimes. Adopting AML best practices further enhances the AML compliance processes of Relevant Persons.