Managing Regulatory Obligations

Firms must not misuse information relating to client orders, and must also take steps to prevent its abuse
(eg, to profit by dealing with their own account).

2
9. Money Laundering, Counter-Terrorism and Bribery
Learning Objective

2.8.1 Understand what constitute money laundering and counter terrorism funding in the UK; the
relevant legislation
2.8.2 Know Customer Due Diligence (CDD) requirements

Money laundering (ML) is the process of turning ‘dirty’ money derived from criminal activities into
‘clean’ money, which appears to be from legitimate origins. Dirty money is difficult to invest or spend,
and carries the risk of being used as evidence of the initial crime. Laundered money can more easily be
invested and spent without the risk of incrimination.

In money laundering legislation, ‘criminal property’ refers to property that an alleged offender knows or
suspects constitutes or represents benefit from any criminal conduct.

‘Criminal conduct’ is the conduct undertaken by an individual that has resulted in an offence. In the
context of money laundering, it involves accepting money known to be derived from criminal activity
and attempting to launder it to make it appear ‘clean’ or legitimate.

There are three stages to a successful money laundering operation:

1. Placement – introduction of the money into the financial system; typically, this involves placing the
criminally derived cash into a bank or building society account, a bureau de change, or any other
type of enterprise which can accept cash, such as a casino.
2. Layering – involves moving the money around in order to make it difficult for the authorities to link
the placed funds with the ultimate beneficiary of the money. This may involve buying and selling
international currencies, shares, or bonds in rapid succession, investing in CISs, or insurance-based
investment products, as well as high-value physical items such as cars or jewellery, or moving the
money from one country to another.
3. Integration – at this final stage, the layering has been successful, and the ultimate beneficiary
appears to be holding legitimate funds and/or assets (clean money rather than dirty money). The
money is regarded as integrated into the legitimate financial system.

Broadly, AML provisions apply to all crimes. They aim to identify customers, report suspicions at the
placement and layering stages, and keep adequate records to prevent the integration stage from being
reached.

103
9.1 Anti-Money Laundering (AML) Provisions
Increasingly, AML provisions are being seen as the front line against drug dealing, organised crime, and
the financing of terrorism. Much police activity is directed toward making the disposal of criminal assets
more difficult and monitoring the movement of money.

The UK rules and regulations in relation to money laundering come from various sources. Primary
legislation includes:

• Proceeds of Crime Act 2002 (POCA)

• Serious Organised Crime and Police Act 2005 (SOCPA)
• Counter-Terrorism Act 2008 (CTA) (Schedule 7)
• Terrorism Act 2000 (TA)
• FCA’s Senior Management Arrangements, Systems and Controls (SYSC) Sourcebook, and
• Industry guidance in the form of the Joint Money Laundering Steering Group (JMLSG) Guidance.

Secondary includes the Money Laundering Regulations 2017 (The Money Laundering, Terrorist
Financing, and Transfer of Funds (Information on the Payer) Regulations 2017).

Specific rules for financial services firms are provided in the FCA’s SYSC Sourcebook. The JMLSG guidance
provides further guidance on implementing the requirements of the ML Regulations.

The Proceeds of Crime Act 2002 (POCA)

POCA specifies that money laundering relates to criminal property – any benefit (monetary or otherwise)
arising from criminal conduct. Property is criminal property only if the alleged offender knows or suspects
it is criminal property. Firms are required to report suspicions of money laundering to authorities.

The Serious Organised Crime and Police Act 2005 (SOCPA)

This Act amended certain sections of POCA. One feature of POCA was that criminal conduct was deemed
to include anything that would have been an offence if done in the UK, regardless of where it actually
occurred. This led to issues such as the ‘Spanish bullfighter’ problem, where bullfighting is illegal in the
UK but not in Spain.

SOCPA addresses this by providing a defence for alleged offenders if they can show that they knew or
believed on reasonable grounds that the conduct was not criminal where it happened. However, the
Secretary of State can prescribe certain offences as ‘relevant criminal conduct’ that need to be reported
even if they are legal where they occurred.

The Terrorism Act 2000 (TA)

This Act contains the law relating to the financing of terrorism. It criminalises raising, receiving, owning,
or using finance or property for terrorist activity; entering into arrangements to make finance available
for terrorist activity; and facilitating the concealment or movement of such finance or property.

Conviction can lead to up to 14 years’ imprisonment, an unlimited fine, or both. There is a defence if a
person reported their suspicions, intended to report but had a good reason not to, or acted with police
permission.

104
 Managing Regulatory Obligations

Failure to report suspicious transactions related to terrorist financing is also an offence, punishable by
up to five years’ imprisonment, an unlimited fine, or both.

The scope of the Act is not limited to terrorist acts in the UK, or acts against the Government. It is

2
discussed in more detail in section 4.5.

The Counter-Terrorism Act 2008 (CTA)

The CTA includes provisions related to terrorist financing and money laundering, giving HM Treasury
new powers to direct financial sector firms to take actions regarding business with parties outside the
UK if there are concerns about money laundering, nuclear/biological weapons proliferation, or terrorist
financing. Non-compliance can result in civil penalties or criminal prosecution, with a maximum penalty
of two years’ imprisonment, an unlimited fine, or both. It is discussed in more detail in section 4.5.

The Money Laundering Regulations 2017 (MLRs)

The Money Laundering Regulations 2017 give effect to the Fourth Money Laundering Directive (4MLD),
while the Money Laundering and Terrorist Financing (Amendment) Regulations 2019 implemented
the Fifth Money Laundering Directive (5MLD). 4MLD strengthened anti-money laundering legislation,
bringing changes to customer due diligence rules. 5MLD introduced requirements for cryptoasset
exchanges and custodian wallet providers and made changes to customer due diligence requirements.

The Regulations predominantly deal with processes firms must adopt to combat money laundering,
including systems and training requirements and obligations to check new customer identities.

The Criminal Finances Act 2017

The Criminal Finances Act 2017 holds companies and partnerships criminally liable if they fail to prevent
tax evasion by either a member of their staff or an external agent, even if the business was not involved
in or unaware of the Act. A prosecution could lead to both a conviction and unlimited penalties. While
tax evasion was already an offence, previously it was not possible to ascribe criminal liability to the firm
where it occurred.

A business may avoid criminal liability if it can show that it had implemented reasonable prevention
procedures or that it was unreasonable or unrealistic to have expected it to have procedures in place. A
further measure in the Act allows for unexplained wealth orders to be served on individuals suspected
of a serious crime, requiring them to explain the sources of their wealth; any proceeds of crime can
be seized by the authorities. The Act also includes further powers to investigate suspected money
laundering or terrorist financing, and new orders to require individuals to disclose information they have
on money laundering activities.

The FCA Senior Management Arrangements, Systems and Controls (SYSC) Sourcebook
This sourcebook provides high-level standards of governance for FCA-authorised firms regarding the
obligations of senior management in implementing AML provisions in the UK financial services sector.

The Joint Money Laundering Steering Group (JMLSG) Guidance Notes

The Joint Money Laundering Steering Group (JMLSG) comprises leading UK trade associations in the
financial services sector, including UK Finance, the Building Societies Association, and the Association of
British Insurers (ABI). Its aim is to promote good practices in countering money laundering and provide

105
practical assistance in interpreting the ML Regulations. This is achieved by publishing industry guidance
on implementing risk management, anti-terrorist financing, and AML provisions. The Guidance Notes
are neither mandatory, nor are they regulations or law; instead, they highlight industry best practices.
They are also approved by HM Treasury, meaning that adherence to them is considered evidence of
compliance with legislation.

The FCA has confirmed that it will consider whether a firm has followed the relevant provisions and
guidance of the JMLSG when deciding whether to take action against it and when considering whether
to prosecute a breach of the ML Regulations.

The stated purpose of the JMLSG guidance is to:

• outline the legal and regulatory framework for AML and combating the financing of terrorism (CFT)
requirements and systems across the financial services sector
• interpret the requirements of the relevant laws and regulations, and explain how they may be
implemented in practice
• indicate good industry practice in AML and CFT procedures through a proportionate, risk-based
approach (RBA), and
• help firms design and implement the systems and controls necessary to mitigate the risk of them
being used in connection with money laundering and terrorist financing.

The guidance provided by the JMLSG is divided into several parts. The main text in Part I contains
generic guidance applicable across the UK financial sector. Part II provides guidance for specific industry
sectors, supplementing the generic guidance in Part I. Part III offers additional specialist guidance on
specific areas of activity.

The JMLSG guidance emphasises the responsibility of senior management to manage a firm’s money
laundering and terrorist financing risks, through a risk-based approach. It sets out a standard approach
to customer identification and verification, separating basic identity from other aspects of customer
due diligence (CDD) measures, and provides guidance on the obligation to monitor customer activity.

The guidance incorporates a range of reference material to assist senior management, nominated
officers, and MLROs in understanding the overall context of and obligations within the UK AML/CFT
framework.

Each part of the guidance is annotated with references to relevant legal and regulatory provisions.

Part I comprises eight separate chapters, followed by a glossary of terms and abbreviations, and a
number of appendices setting out other generally applicable material. Some of the individual chapters
are followed by annexes specific to the material covered.

Part I: General Guidance

Part I sets out industry guidance on:
• the importance of senior management taking responsibility for effectively managing the money
laundering and terrorist financing risks faced by the firm’s businesses (Chapter 1)
• appropriate controls in the context of financial crime (Chapter 2)
• the role and responsibilities of the nominated officer and the MLRO (Chapter 3)

106
 Managing Regulatory Obligations

• adopting a risk-based approach to the application of customer due diligence (CDD) measures
(Chapter 4)
• helping a firm have confidence that it has properly carried out its CDD obligations, including
monitoring customer transactions and activity (Chapter 5)

2
• the identification and reporting of suspicious activity, and data protection (Chapter 6)
• staff awareness, training and alertness (Chapter 7), and
• record-keeping (Chapter 8).

Part II: Sectoral Guidance

Part II contains industry-specific chapters addressing particular issues faced by different sectors (such as
retail banking, financial advisers, private equity). Part II should be read in conjunction with the general
guidance contained in Part I, not alone.

Part III: Specialist Guidance

Part III contains specialist guidance, which should be read in the context of the general guidance in
Part I. Part III covers:

• Chapter 1: transparency in electronic payments (wire transfers)

• Chapter 2: deleted – the ‘equivalent jurisdictions’ text has been moved to Chapter 4 of Part 1
• Chapter 3: equivalent markets (non-HMT approved)
• Chapter 4: compliance with the UK financial sanctions regime, and
• Chapter 5: directions under Schedule 7 to the CTA.

In the UK, there has been a long-standing obligation to have effective procedures in place to detect and
prevent money laundering.

Status of the Guidance

The JMLSG guidance is not legally binding, so compliance with it is not compulsory. However, it provides
an indication of what the courts and UK AML and CFT supervisors (including the FCA) expect of firms.
When tailored by a firm to its particular circumstances, compliance with some of the guidance can
provide a ‘safe harbour’ in the event of prosecution under certain parts of the UK AML and CFT regime.
POCA (Sections 330(8) and 331(7)) stipulates that a court must consider whether a person followed any
‘relevant guidance’ issued by a supervisory authority or any other ‘appropriate body’ when determining
whether a person has committed certain money laundering offences. To be considered by the court in
this context, the relevant guidance must be approved by HM Treasury, which has overall responsibility
for money laundering policy in the regulated sector.

9.2 Money Laundering Offences and Penalties

POCA establishes five offences:

1. Concealing (S.327) – it is an offence for a person to conceal or disguise criminal property or to

convert, transfer or remove such property from the jurisdiction.
2. Arrangements (S.328) – that is, being concerned in an arrangement which the person knows, or
suspects, facilitates the acquisition, retention, use or control of criminal property for another person.
Being concerned in an arrangement may be widely interpreted – it could include a person advising
on a transaction, for example.

107
3. Acquisition, use and possession (S.329) – acquiring, using or having possession of the criminal
property.
4. Failure to disclose (S330, 331 & 332) – there is a duty on employees in the regulated sector to
make reports where they know or suspect that another person is engaged in money laundering or
terrorist financing activity. It is an offence for employees to fail to disclose such information to their
MLRO. Three conditions need to be satisfied for this to be an offence:
a. the person knows or suspects (or has reasonable grounds to know or suspect) that another
person is committing an offence
b. the information giving rise to the knowledge or suspicion came to them during the course of
business in a regulated sector (described below), and
c. the person does not make the required disclosure to a nominated officer, such as the firm’s
MLRO, as soon as is practicable.
5. Tipping-off (S.333) – this is a particular offence applying only to persons working in the regulated
sector, and it involves disclosing a suspicious activity report or investigation. It is committed
where a person knows or suspects that by disclosing the information this is likely to prejudice the
investigation, and the information came to them in the course of business in the regulated sector. It
is possible to commit this offence even if you do not know that a report has actually been made.

The first three offences apply to all persons and businesses, while offences 4 and 5 apply only to persons
in the regulated sector. A conviction in a Crown Court can lead to up to 14 years’ imprisonment, an
unlimited fine, or both for the first three offences. For offences 4 and 5, the sentence can be up to two
years’ imprisonment or an unlimited fine, or both.

Offences 4 and 5 (failure to disclose and tipping-off) apply only to persons in the regulated sector.
The regulated sector is broader than just the financial services community; it includes a wide range of
organisations involved in handling substantial amounts of cash. This includes authorised firms, estate
agents, bureaux de change, consumer credit institutions, law firms, casino operators, accountants, high-
end auctioneers, and insolvency practitioners. A person in the regulated sector found guilty of failure
to disclose or tipping off will, upon conviction in a Crown Court, be sentenced to imprisonment for up
to two years, or an unlimited fine, or both. Outside of the regulated sector, the imprisonment sentence
increases to up to five years.

A person may commit the offence of failure to disclose suspicions of money laundering, even if they
did not, in fact, suspect money laundering; they may commit this offence if they did not suspect money
laundering, but had reasonable grounds to know or suspect it. The test to determine whether there are
reasonable grounds is called the ‘objective test,’ which considers whether a reasonable person would
have known or been suspicious, even if the offender protests their innocence.

A person has a defence against the first three offences (concealing, arrangements, and acquisition, use
and possession) if they make the required disclosure to the MLRO or, if the person was the MLRO, to the
National Crime Agency (NCA).

108
 Managing Regulatory Obligations

9.2.1 Reporting Suspicious Transactions (SARs)

Following internal notification within a firm to the MLRO, and an assessment that the activity is suspicious
and does not follow the usual activity of the client in question (or the business activity undertaken by the

2
client), then the firm must make a report in a timely manner to the NCA.

Therefore, the key to knowing when to report suspicious activity is to have a good understanding of your
customer – from understanding their business and building relationships with them to understanding
their activities and transactions. Firms should implement monitoring tailored to identify unusual activity
that would not fall into the ‘usual’ activity of their clients. Not all clients have the same ‘usual business
activity,’ highlighting the importance of continuous engagement with clients to stay up-to-date with
their business needs and activities.

Reporting can be done online or manually. The SAR report must contain all relevant information about
the individual(s) or entity in question.

Just like Suspicious Transaction and Order Reports (STORs) under the UK Market Abuse Regulation, a firm
must not second-guess what the NCA would consider as suspicious. Firms must report all activities they
consider suspicious based on the profile and transaction activity of the individual(s) or entity.

The Reporting of STORs and Suspicious Activity Reports (SARs) – Overlapping Regimes
The FCA wrote to the trade association UK Finance in 2019 regarding firms’ reporting of suspicious
transactions under the STOR (UK MAR) and Suspicious Activity Report (SAR) regimes.

Determining when to report under STOR and/or SAR can be complex as they serve different purposes. The
authorities have criticised firms that believe filing a report under one regime discharges their obligations
to report under the other. The FCA sent a letter and provided advice to UK Finance, emphasising that
firms must consider, on a case-by-case basis, whether they need to submit a STOR, SAR, or both.

9.3 Senior Management Obligations

The Money Laundering Regulations 2017 apply to a wide range of organisations, as well as the financial
services community, estate agents, bureaux de change, consumer credit institutions, law firms, casino
operators, accountants, high-end auctioneers, and insolvency practitioners. This is referred to as the
regulated sector. Supervision of the regulated sector is split between the FCA (for most financial services
firms) and His Majesty’s Revenue & Customs (HMRC).

The regulations contain specific requirements to prevent money laundering by firms. The requirements
are in three main areas:

1. Due diligence – including identifying customers

2. Internal policies and procedures – including record-keeping, training of staff, and reporting of
suspicions of money laundering
3. Supervision and registration – this provides the powers of the supervisors (FCA and HMRC).

109
Non-compliance can result in a jail term of up to two years and/or a fine upon conviction in the Crown
Court. Courts must consider whether the firm followed relevant JMLSG guidance when deciding if an
offence has been committed.

9.3.1 FCA requirements

The FCA’s SYSC Sourcebook contains high-level requirements for firms to maintain adequate systems
and controls to prevent them from being used for financial crime. SYSC 4.1.1R requires firms to have
robust governance arrangements, including effective processes to identify, manage, monitor and report
risks and internal control mechanisms to ensure effective controls and safeguards.

SYSC 6.1 (compliance) and SYSC 6.3 (financial crime) provide guidance on the measures firms should
take regarding to financial crime.

Systems and Controls

Authorised firms must establish and maintain effective systems and controls to identify, assess, monitor,
and manage money laundering risks, which should be comprehensive and proportionate to the nature,
scale, and complexity of their activities. They must regularly assess the adequacy of these systems and
controls, including verifying the source of both wealth and funds during the client take-on process (CDD,
also known as KYC).

Money laundering risk is the risk that a firm may be used to launder the proceeds of crime. In identifying
its money laundering risk, and establishing its systems and controls, a firm should consider various
factors, including:

• its customer, product, and activity profiles

• its distribution channels
• the complexity and volume of its transactions
• its processes and systems, and
• its operating environment.

A firm should ensure its systems and controls include:

• training for its employees in relation to money laundering prevention

• provision of information to its governing body and senior management, including a report at least
annually by the firm’s MLRO on the operation and effectiveness of those systems and controls
• documentation of its risk management policies and risk profile in relation to money laundering
• measures to ensure that money laundering risk is taken into account in its day-to-day operation and
also with the development of new products, the taking-on of new customers, and changes in its
business profile, and
• measures to ensure that new client identification procedures do not unreasonably deny access for
persons who may not be able to produce detailed evidence of identity.

Each authorised firm must give a director or senior manager (who may also be the MLRO) overall
responsibility for the establishment and maintenance of effective AML systems and controls.

110
 Managing Regulatory Obligations

A firm must also appoint an MLRO, responsible for receiving and assessing internal suspicion reports,
and determining, after proper investigation, whether to report them to the NCA. Under the APER, the
MLRO would be performing a controlled function. Under the SM&CR, they would be classified as an SMF
17 – performing a senior management function role.

2
The firm must ensure that its MLRO has an appropriate level of authority and independence within
the firm and has access to resources and information sufficient to enable them to carry out their
responsibilities. The MLRO acts as a central point for all AML-related activity within the firm and should
be based in the UK.

Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to have
a separate compliance function, which may be heavily involved in monitoring the firm’s compliance
with its anti-money laundering procedures. The organisation and responsibilities of a compliance
function should be documented. A compliance function should be staffed by an appropriate number of
competent and sufficiently independent staff. It should be adequately resourced and have unrestricted
access to the firm’s relevant records.

When considering whether a breach of its rules on systems and controls against money laundering has
occurred, the FCA will look to see if the firm has followed relevant provisions in the guidance for the UK
financial sector, provided by the JMLSG. It has stated that:

‘The guidance ... provides a sound basis for firms to meet their legislative and regulatory obligations
when tailored by firms to their particular business risk profile. Departures from this guidance, and
the rationale for so doing, should be documented, and firms will have to stand prepared to justify
departures, for example to the FCA.’

Section 24 of MLR 2017 states that firms must take appropriate measures to ensure that relevant
employees are:

• made aware of the law relating to money laundering and terrorist financing and the requirements of
protection which are relevant to the implementation of MLR 2017, and
• provided with regular training on how to recognise and deal with transactions and other activities or
situations which may be related to money laundering or terrorist financing.

Firms must maintain records of the measures taken, particularly the training provided to employees.

Relevant employees are defined as employees whose roles are capable of contributing to the
identification or mitigation of the risk of money laundering and terrorist financing to which the firm is
subject, or prevention or detection of money laundering and terrorist financing concerning the firm’s
business.

The appropriate measures that firms should consider and implement should take the nature of the firm’s
business, its size, and the nature and extent of the risk of money laundering and terrorist financing to
which the firm is subject into account.

111
Relevant aspects of the guidance are summarised below:

The JMLSG Requirements – ‘Systems and Controls’

Senior management of firms must appoint an appropriately qualified senior member of staff who will
have overall responsibility for the maintenance of the firm’s AML systems and controls.

To determine the arrangements and controls needed by a firm, senior management must perform a risk
assessment considering factors such as:

• the nature of the firm’s products and services

• the nature of its client base, and
• the ways in which these may leave the firm open to abuse by criminals.

Firms must also have an AML policy statement in place; this provides a framework to the firm and its
staff and must identify named individuals and functions responsible for implementing aspects of the
policy. The policy must also set out how senior management undertakes its assessment of the money
laundering and terrorist financing risks the firm faces and how these are to be managed.

9.4 Customer Due Diligence (CDD)

Chapter 5 of Part 1 of the JMLSG Guidance is a practical guide to the due diligence required for different
types of customers to establish their identity before commencing business with them.

Customer identities should be verified in advance whenever the firm is entering into a business
relationship with a party, or undertaking a transaction of €15,000 or more outside of a business
relationship. Additional due diligence should be carried out whenever the firm suspects money
laundering or terrorist financing, even for existing customers.

In general, firms should vary their customer due diligence according to the level of risk of money
laundering or terrorist financing they are exposed to. Fewer checks are needed be for low-risk customers,
such as regulated firms or governments, or for low-risk products like pensions (referred to as simplified
due diligence). More checks are required for customers posing a higher risk of money laundering, such
as those applying for a service online or in a position exposing them to corruption (enhanced due
diligence).

The stages of CDD are:

1. obtaining evidence of identity and any beneficial owner

2. verifying evidence of identity to ensure that the evidence is valid, and
3. obtaining information to enable the firm to understand the nature and purpose of the relationship
intended, monitoring the relationship, and identifying suspicious transactions.

For personal customers, the standard identification requirement is to ascertain the customer’s name,
residential address and date of birth. This may be satisfied by producing a valid passport or driving
licence, utility bill, letter from a government agency (eg, HMRC), or a bank statement. Firms should
maintain records of the evidence and verification. Additionally, firms should ascertain the source of the
customer’s wealth and/or funds.

112
 Managing Regulatory Obligations

In ascertaining the source of funds, the firm should establish whether the funds are to be paid from (for
example) a bank account, credit or debit card, or solicitors’ account, and ensure that this is an expected
source. A firm may also enquire as to the source of the customer’s wealth to ensure it understands how
the customer obtained the funds in question, eg, from earnings, inheritance, savings, company sale or

2
another source. In both cases, the firm should take a risk-based approach, carrying out more detailed
verification in high-risk transactions.

For a corporate customer, firms should obtain evidence of its full name, registered number, registered
office and business address, in the form of, eg, a certificate of incorporation, articles of association or
bank details. It should also verify the identity of any beneficial owner of the company.

Verification of the customer’s identity and, where applicable, the beneficial owner must be subject
to certain exceptions and take place before establishing a business relationship or carrying out a
transaction. If there is a delay between forming the business relationship and verifying the customer’s
identity (eg, in the case of non-face-to-face business), the firm’s risk management procedures should
limit the relationship’s extent. This could be done by placing restrictions on the transactions the
customer can enter into or on the transfer of funds until verification is complete.

Additionally, firms should monitor their business relationships on an ongoing basis to build a clear
understanding of the customer’s circumstances and investment patterns.

If simplified due diligence (SDD) does not apply, satisfactory identification evidence for the customer
should be obtained and verified as soon as reasonably practicable after the first contact between the
firm and the customer. If there is a delay between forming the business relationship and verifying the
customer’s identity (eg, in non-face-to-face business), firms’ risk management procedures should limit
the relationship’s extent. This could be done by placing restrictions on the transactions the customer can
enter into or on the transfer of funds until verification is complete.

If a firm cannot satisfactorily verify a customer’s identity, it should not proceed with the business
relationship and should consider whether this should cause it to make a report to the NCA. If the
customer cannot produce the correct documents or information, the firm may consider whether there is
another way to verify their identity.

Enhanced due diligence (EDD) is when the firm conducts more checks than for standard cases. Firms
must apply EDD measures on a risk-sensitive basis in any situation that presents a higher risk of money
laundering or terrorist financing. Under its risk-based approach, a firm may conclude that the information
collected during the customer due diligence process is insufficient for the money laundering or terrorist
financing risk and must obtain additional information about the customer, the customer’s beneficial
owner, if applicable, and the purpose and intended nature of the business relationship.

Therefore, firms should hold sufficient information about their customers’ circumstances and business,
and their customers’ beneficial owners, if applicable, for two principal reasons:

• To inform their risk assessment process, and thus manage their money laundering/terrorist financing
risks effectively.

113
• To provide a basis for monitoring customer activity and transactions, thus increasing the likelihood
that they will detect the use of their products and services for money laundering and terrorist
financing.

Firms’ information demands need to be proportionate, appropriate and discriminating, and need to be
justifiable to customers. Therefore, firms must maintain more information on clients deemed to carry a
higher money laundering or terrorist financing risk or seeking a product or service with a higher risk of
being used for money laundering or terrorist financing.

MLR 2017 introduced specific circumstances in which EDD measures must be applied:

• Any case identified by the firm under its risk assessment (or in information provided by the
supervisory authorities) where there is a high risk of ML/TF.
• Any transaction with a person established in a high-risk third country where the client has not been
physically present for identification purposes in respect of a relation to correspondent banking
relationships.
• In respect of a business relationship or occasional transaction with a PEP, if the firm has determined
that a customer or potential customer is a PEP, or a family member or known close associate of a PEP
in any case where a customer has provided false or stolen identification documents or information
on establishing a relationship.
• In any case where a transaction is complex and unusually large or there is an unusual pattern of
transactions.

A PEP is defined as:

‘an individual who is or has, at any time in the preceding year, been entrusted with prominent public
functions, other than as a middle-ranking or more junior official.’

Under the definition of a PEP, a firm’s obligation to apply EDD measures to an individual ceases one year
after they have left office, or longer if the firm considers it appropriate to address ML/TF risks.

Family members of a PEP include a spouse or partner of that person, a partner (including a person
considered equivalent to a spouse by their national law), children of that person and their spouses or
partners, and parents of that person. Firms no longer need to apply EDD measures to family members
or close associates of a PEP when the PEP is no longer entrusted with a prominent public function,
regardless of whether the noted period has expired.

Firms are expected to apply enhanced due diligence on a risk-sensitive basis and to:

• have in place appropriate risk management systems and procedures to determine whether a client
or the beneficial owner of a client is a PEP, or a family member or known close associate of a PEP
• obtain appropriate senior management approval for establishing, or continuing, a business
relationship with such a client
• take adequate measures to establish the source of wealth and source of funds which are involved in
the business relationship or occasional transaction, and
• conduct enhanced ongoing monitoring of the business relationship.

Firms should take a proportional, risk-based approach to transactions or business relationships with
PEPs, depending on their risk assessment. Establishing whether individuals qualify as PEPs is not always

114
 Managing Regulatory Obligations

straightforward. The legal definition is explicit, but there may be confusion over middle-ranking or junior
officials with significant or absolute control. Firms should employ a risk-based approach to assess where
the PEP sits on the risk scale.

2
Part of the KYC activities may involve using credit reference agencies’ data in order to access and assess
information such as electoral registers and credit history (including financial associates with linked
financial records) and update that information if necessary.

9.5 The Money Laundering Reporting Officer (MLRO)

Under POCA 2002 (S.330–332), it is an offence to fail to disclose a suspicion of money laundering. Staff
at financial services firms must be aware of what constitutes a suspicion. Therefore, the ML Regulations
require all relevant employees to be trained to recognise and deal with money laundering transactions.
This training should cover the law relating to money laundering and terrorist financing, how to
recognise money laundering and terrorist financing (including the main risk areas for their own firm),
and what procedures to follow if they become aware of suspicious activity. The training should be
tailored to the firm’s own business and structure and form part of a regular, ongoing training program,
whose effectiveness is monitored.

Firms must also ensure that business relationships are sufficiently understood and monitored so that
staff can recognise patterns of activity inconsistent with a customer’s anticipated profile.

Ultimately, disclosure of suspicions is made to the NCA; however, disclosure goes through two stages.
First, any employee with a suspicion should disclose it to their firm’s MLRO, who reviews matters and
decides whether the suspicion should be passed on to the NCA.

By reporting to the MLRO, the employee with the suspicion has fulfilled their legal responsibilities.
Similarly, by reporting to the NCA, the MLRO has fulfilled their responsibilities under the law.

The main part of the FCA Handbook related to the role of the MLRO is the SYSC Sourcebook. As an
approved person, the MLRO is subject to the Senior Managers Regime under the SM&CR, with primary
responsibility for ensuring that the firm adequately trains its staff in the knowledge and understanding
of regulatory requirements and how to recognise and deal with suspicious transactions.

Under the FCA rules, all firms (except for sole traders, general insurance firms and mortgage
intermediaries) must appoint an MLRO with responsibility for oversight of their compliance with the
FCA’s rules on systems and controls against money laundering.

The Money Laundering Regulations require all affected firms (including some non-FCA firms) to appoint
a nominated officer (NO) responsible for receiving internal money laundering disclosures from staff
members and making external reports to the NCA if necessary. The nominated officer is also responsible
for receiving internal disclosures under POCA and the Terrorism Act 2000.

High-level requirements and obligations are placed on a firm’s senior management to ensure that they
have systems and controls to prevent money laundering and terrorist financing. The JMLSG Guidance
aids firms in interpreting and dealing with these obligations in the context of the specific types of
business undertaken by the firm.

115
To determine the arrangements, systems, and controls needed by a firm, senior management must
perform a risk assessment considering factors such as:

• nature of the firm’s products and services

• nature of its client base and geographical location, and
• ways in which these may leave the firm open to abuse by criminals.

9.6 Terrorism & Money Laundering

The Terrorism Act 2000 defines what amounts to terrorism, as the use or threat of use of action where it:

• involves serious violence against a person or serious damage to property

• endangers a person’s life, other than the person committing the action
• creates serious risk to the health or safety of the public (or a section of the public)
• is designed to seriously interfere or disrupt an electronic system, and/or
• is designed to influence the government or intimidate the public (or a section of the public), or is
made for the purpose of advancing a political, religious or ideological cause.

If the threat or action involves the use of firearms or explosives, it is considered terrorism regardless of
the intention to influence the government or intimidate the public.

Many of the requirements of anti-terrorism legislation are similar to those of anti-money laundering
provisions. A person commits an offence if they enter into, or become concerned with, an arrangement
facilitating the retention or control of terrorist property by concealment, removal from the jurisdiction,
transfer to nominees, or any other means. A person may have a defence if they can prove they did not
know and had no reasonable cause to suspect the arrangement was related to terrorist property.

There is a duty to report suspicions and it is an offence to fail to report if there are reasonable grounds
to do so. The Terrorism Act 2000 and the Anti-Terrorism Crime Security Act 2001 specify that a failure to
report is liable to a term of up to five years in jail and a fine.

The Counter-Terrorism Act 2008 (CTA)

The CTA enhanced the government’s armoury of legislation to tackle terrorism. Of particular interest is
Schedule 7, which gives new powers to the Treasury to issue directions to firms in the financial sector.

In summary, directions can be given to individual firms, to firms that fit a particular description, or to the
sector as a whole, concerning individuals or instituitions doing business or resident in the UK. Directions
can relate to CDD and ongoing monitoring, systematic reporting on transactions and business
relationships, and limiting or ceasing business.

• Customer due diligence and monitoring – these provisions are similar to existing requirements
under the Money Laundering Regulations. However, the Treasury can now direct that CDD be
undertaken again or completed before entering into a business relationship, or that enhanced
measures be carried out. It may also direct specific activity monitoring.
• Systematic reporting – previously, reporting orders had to be obtained through the courts by law
enforcement. Under the CTA, the Treasury can now require information on business relationships
and transactions involving specified person(s), either on a one-off or periodic basis.

116
 Managing Regulatory Obligations

• Limiting or ceasing business – the Treasury’s powers under the Money Laundering Regulations
(Regulation 18) were limited to situations where the Financial Action Task Force (FATF) applied
countermeasures. The CTA’s powers are more flexible, allowing directions in a wider range of
situations.

2
Under the CTA, the Treasury may issue directions when one or more of the following criteria are met:

• The FATF has advised that countermeasures should be applied to a country (as per the Money
Laundering Regulations).
• The Treasury reasonably believes that money laundering/terrorist financing activities are being
carried on in the country, by its government or by persons resident/incorporated there, which pose
a significant threat to the UK’s national interests.
• The Treasury reasonably believes that the country is developing or producing nuclear or chemical
weapons, or doing anything to facilitate that, and poses a significant threat to the UK’s national interests.

If a direction is made to an individual firm, it will be served upon them.

The Financial Action Task Force (FATF)

The Financial Action Task Force (FATF) is responsible for examining and developing measures to combat
money laundering. The FATF is the global watchdog for money laundering and terrorist financing. It is
an inter-governmental body that sets international standards to prevent these illegal activities and the
harm they cause to society. As a policy-making body, the FATF works to generate the necessary political
will for national legislative and regulatory reforms in these areas.

With more than 200 countries and jurisdictions committed to implementing them, the FATF has
developed the FATF Recommendations and FATF Standards, ensuring a coordinated global response to
prevent organised crime, corruption, and terrorism. These standards help authorities target the money
of criminals involved in illegal drugs, human trafficking, and other crimes. The FATF also works to stop
funding for weapons of mass destruction.

The FATF reviews money laundering and terrorist financing techniques and continuously strengthens
its standards to address new risks, such as the regulation of virtual assets, which have spread as
cryptocurrencies gain in popularity. The FATF monitors countries to ensure they fully and effectively
implement the FATF Standards and holds non-compliant countries accountable.

9.7 Bribery
Learning Objective

2.8.3 Understand the main offences set out in the Bribery Act 2010 and the penalties for committing
the offences set out in that Act

The Bribery Act contains two general offences: the offering, promising, or giving of a bribe (active
bribery), and the requesting, agreeing to receive, or accepting of a bribe (passive bribery) in Sections
1 and 2 respectively. It also sets out two further offences specifically addressing commercial bribery.
Section 6 creates an offence relating to bribery of a foreign public official to obtain or retain business or

117