This site uses cookies to improve your browsing experience and analyse use of our website. By clicking ‘I accept’ you agree and consent to our use of cookies. You can find out more about our cookies here. Find out more

Time to tighten your anti-money laundering defences

Andrew Jacobs

By 26 June 2017, all European Union member states are required to have enacted the Fourth Money Laundering Directive (4MLD) into national law. 4MLD aims to give effect to the updated Financial Action Task Force (“FATF”) standards. With this in mind Firms need to make sure their policies, procedures, systems and controls are up to scratch.

The UK Government has now published its draft Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 which seeks to transpose the Fourth Money Laundering Directive into national law. This follows on from the Treasury’s consultation in September 2016, and seeks to take into consideration the 186 responses received.

The UK money laundering regulations haven’t been updated since 2007, since then the business world and technology have moved on substantially.  4MLD better reflects the current business environment and implements the 40 recommendations of FATF.

In light of 4MLD and the Government’s proposed regulations, the Joint Money Laundering Steering Group (JMLSG) has updated its guidance for firms in the financial services sector. This guidance is widely considered to establish industry best practice and is therefore an essential reference point for all FCA regulated firms.

Financial crime remains high on the FCA’s agenda, with firms being subjected to more scrutiny in relation to the effectiveness of their systems and controls in preventing financial crime and terrorist financing. 

So what are the main changes that firms will need to make to their policies and procedures to ensure they are compliant with the 4MLD by 26 June?

Risk assessments

Senior management are responsible for having a firm-wide risk assessment in place, and should identify the key risks to the business and how these will be addressed. This assessment should be documented and updated on a ‘regular’ basis – which we recommend should be annually. The FCA can, at any point, request a copy of the documented assessment from firms.

The EU is required to complete a global assessment of key financial crime risks and how these might affect the EU. Similarly, every two years the UK Government must undertake a risk assessment of what it considers are the key financial crime risks facing the UK economy. Firms are expected to consider whether the key risks identified by the UK Government might affect their business, and should document this assessment. This sort of risk-based approach is judged on the size, nature and scale of the business. However, firms are required to design and implement controls to manage and mitigate the risks identified by management, to update their response as necessary and to document their actions.

The FCA has emphasised the importance of customer risk assessments for some time. The new regulations now require firms to consider not only risks to the business at large, but also the risks that individual customers may pose to the business. Based on this, firms can then determine the level of due diligence required from a client. The JMLSG indicates that firms should consider factors such as the business or professional activity of the individual, their reputation, their nature and behaviour, their country of residence and the products and services sought. Delivery risks should also be considered, for example, whether the firm has met the individual face to face or only transacted over the internet (in which case, additional measures should be considered). The results of these assessments should feed into the firm-wide risk assessment.

Such risk assessments should be performed at the inception of the business relationship with a new customer. However, the JMLSG recognises that a comprehensive risk assessment may only be possible once the individual has started transacting. Firms therefore need to establish processes to ensure that, as well as conducting an upfront risk assessment, they also repeat the exercise at a later date when they can access more information on the customer. Customer risk assessments should then be kept up to date (e.g. revisited annually or biannually). Low risk customers might be reviewed every two years, for example, while all transactions of high risk customers should be subject to review on an on-going basis. If a risk assessment changes, for example, if a customer moves from low risk to high risk, firms need procedures in place to manage that increased risk, such as obtaining additional customer due diligence.

Customer due diligence

Simplified due diligence will no longer be directly applicable. Firms’ senior management will need to determine and document whether they are willing to accept that a customer is lower risk and therefore only apply simplified due diligence. The JMLSG’s guidance indicates that simplified due diligence is likely to apply to customers such as a company listed on a regulated market, an independent legal professional holding a pooled account, certain pension funds, child trust funds and junior ISAs. However, firms will need to document that they have agreed on and applied the simplified due diligence.

Enhanced due diligence

Many firms have commented that the old rules were not particularly clear about in what situations enhanced due diligence measures should be applied. The JMLSG’s guidance has been updated to provide some risk factor guidelines firms should consider in order to determine if enhanced due diligence should be applied.

Beneficial ownership

A beneficial owner is still defined as having a 25% interest in the entity, but the attention given to beneficial ownership has increased. Each EU member state will be required to maintain a register of beneficial owners. In the UK, reliance may be placed on registers such as Companies House for companies and partnerships, but guidance is awaited on the implications for other entities such as trusts or Scottish limited liability partnerships.


The definition of a politically exposed person (PEP) has changed: it now encompasses domestic as well as international persons, so bringing local MPs in scope, as well as their close associates and family members. The FCA is consulting on guidance on how firms should treat PEPs under the new regulations, indicating that it expects firms to act in a proportionate manner. The FCA expects there to be only be a few cases where firms will need to decline a business relationship solely on the basis that the individual is a PEP.

When applying due diligence measures to PEPs, the FCA has stressed that the approach should be proportionate, risk-based and differentiated i.e. PEPs, their families and close associates that pose a lower risk should be subject to less scrutiny than those presenting a higher risk.

When dealing with local or domestic PEPs, firms are expected to take account of public information, such as that contained in registers, in order to minimise the burden on customers and avoid duplication of effort. 

For further support and assistance in meeting the requirements of the fourth money laundering directive and the other new draft legislation, please contact to arrange a conversation or health check.