What do recent changes to the UK’s AML regulations mean for your business?

Amended UK Money Laundering and Terrorist Financing Regulations (MLRs) came into force on 1 September 2022, the culmination of a consultation process begun last year by the Government. All regulated firms in the UK will need to be aware of changes in relation to the management of proliferation financing (PF) risk and supervisors’ powers, whilst crypto asset exchanges are now required to adhere to Financial Action Taskforce (FATF) Recommendation 16, otherwise known as the “Travel Rule”. Many of the changes will be implemented through the Money Laundering and Terrorist Financing (Amendment) (No.2) Regulation 2022 Statutory Instrument.

Proliferation Financing

The amended MLRs include measures to incorporate the FATF’s standards in respect of recommendation 1, for businesses and financial institutions to mitigate the risk of PF, defined as the provision of funds or financial services used for the manufacture, acquisition, development or transport of nuclear, chemical, or biological weapons.  The UK Government consultation found that there is limited knowledge on PF within financial services generally, and it is hoped that the new regulatory obligations, along with the Government’s publication of the UKs first National Risk Assessment of Proliferation Financing last year can help to address that.

After conducting a robust risk assessment to determine their exposure to PF risk, firms will need to tailor existing controls such as customer due diligence (CDD), customer and payment screening and transaction monitoring systems to ensure they effectively identify PF risk, and implement additional PF-specific controls where necessary. Particular attention should be paid to the control environment around higher risk products like trade finance, as well as transactions and customers with a nexus to a higher risk jurisdiction, which should as a minimum encompass warzones, states with nuclear aspirations like Iran and North Korea, along with their neighbours and trading and cultural partners. As such jurisdictions are often the subjects of Western sanctions and export control regimes, firms may find that their existing controls for complying with these regimes are also effective at mitigating PF risk or can be tweaked or enhanced relatively efficiently.

Changes for AML/CFT Supervisors

Another change introduced in the amended regulations gives AML/CFT supervisors the right, on request, to view the contents of a Suspicious Activity Report (SAR) submitted by the firms and individuals supervised by them. While concerns were raised among those consulted around an increased risk of “tipping off” the UK Government judged the risk to be minimal, as information is expected to be handled appropriately and provide a “clear legal gateway for AML/CTF supervisors to access, view and consider the quality of the content of SARs submitted by supervised populations, provided they are necessary to fulfil supervisory functions”. Ultimately this does not represent any new obligation for regulated firms, but the quality of SARs has undoubtedly been a major focus area for regulators since the FinCEN files were leaked. The UK financial intelligence unit issued guidance of submitting better quality SARs just a few months after the exposé, which it has followed up with regular booklets featuring case studies and best practices for firms to learn from.

Further, the amended MLRs provide greater scope for information sharing between authorities and supervisors, including the disclosure of more confidential information held by the Financial Conduct Authority. The impact this has on firms remains to be seen, but the hope is that this freer flow of information will help to identify emerging financial crime typologies and risks more swiftly within customer populations.

Crypto Exchange Regulations

From September 2023, crypto asset exchange providers and custodian wallet providers will be subject to the FATF’s “Travel Rule” which means they will be required to share originator and beneficiary data with each other during fiat crypto transactions exceeding EUR 1,000 in value. This rule change has a few caveats:

• The rule will not apply to unhosted wallets (for the time being at least), a type of self-custody wallet where the balance is kept off of an exchange or third party.
• Data is not expected to be sent “on chain” but sent through a different system that is not publicly accessible and is compliant with data sharing regulations.
• For UK domestic transactions, data would only need to be provided on request.

The MLRs have also been amended to grant the FCA with the powers to refuse to register a cryptoasset firm, or suspend or cancel the registration of a cryptoasset business if the FCA believes its ownership is unsuitable (e.g. where the acquirer does not pass FCA’s “Fit & Proper” tests), including with a change in ownership for an already registered entity.

In-scope crypto firms will therefore need to understand their obligations under the MLRs and satisfy themselves that their systems and controls can adequately handle the data processing and storage demands brought about by these new requirements. In addition, senior managers should ensure that major shareholders and controllers are committed to financial crime compliance. As practitioners discussed at an Exiger roundtable, this can be challenging when individuals are from other professional backgrounds, but owner buy-in appears more important than ever, especially given the difficulties crypto firms have had obtaining regulatory approval.