Career Legal: What you need to know about the money laundering regulations 2017

Finalised in mid-2015, the ‘Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017’ was only just recently approved by parliament and commenced on the 26th June 2017. Despite being aware of it for over two years, firms have only had access to a draft version of its content since March 2017 and as such, have had a notably limited amount of time to prepare for the new regulations.

To make things harder, supervisory authorities have also only had a short window in which to update their anti-money laundering (AML) guidance. The Legal Sector Affinity Group has informed HM treasury that for the time being they will be taking a sensible approach to AML supervision, allowing legal professionals time to adapt to the new regulations. With this in mind, I’ve constructed a short guide of what you need to do to comply with the new regulations as best you can.

Risk assessment

Regulation 18 states you must carry a written risk assessment to identify and assess the risks your firm faces relating to money laundering and terrorist financing.

In this assessment you must consider information on money laundering and terrorist financing risks made available to you by the SRA, as well as the steps you have taken to mitigate the risks of money laundering and terrorist financing at your firm.

Create internal controls

You will need to appoint a person at a senior management level at the very least who is responsible for compliance with the regulations and inform the SRA of their identity within 14 days of their appointment.

In addition, you will need to undertake screening of relevant employees before and during their time at your firm ensuring that their skills, knowledge and expertise to do their job effectively are adequate, as well as an assessment of their conduct and integrity.

An independent audit needs to be established to examine whether your system and employees are ample to meet the regulations.

Meet the requirements set out in the regulations by implementing systems to address money laundering and terrorist financing risks

You must implement a risk-based system which contains written policies, controls and procedures which manage and mitigate the risks you identified in your assessment. This system needs to be regularly reviewed, maintained and communicated internally within your firm so everyone is aware of it.

Apply these systems to your firm on a wide-scale

This section is only relevant if your firm has subsidiaries or branches. If your subsidiaries/branches are located in EEA states then they must follow the national law implementing the new regulations.

Subsidiaries/branches located in states outside the UK which do not have anti-money laundering and terrorist financing law as strict as those in the UK, must apply measures equivalent to those required under UK law.

Politically Exposed Persons (PEP)

The EU have been cracking down on PEPs in recent years due to concerns that they are using their positions to corruptly enrich themselves. The regulations require you to have a system in place that determines whether a client or the owner of a client is a PEP or an associate of a PEP.

If you have a business relationship with a PEP or an associate of a PEP then you must get the relationship approved at a senior level, then take adequate measures to establish source of wealth and funds involved in the business relationship/transaction and conduct enhanced ongoing monitoring of the relationship.

Due diligence

Customer due diligence (CDD)

The new regulations are more prescriptive then the 2007 regulations when it comes to carrying out CDD checks. Under the new regulations you are required to:

  • Verify your clients identity through reliable authentication documents e.g. passport
  • Where applicable, identify the beneficial owners of the client and take measures to verify their identity
  • Obtain appropriate information with the purpose of the business relationship or transaction in order to verify the identity of a person who acts on behalf of a client

When your client is a corporate body you must verify; its name, its company number or other registration and the address of its registered office. Regulation 43 obliges corporate bodies to provide you with all the necessary information.

Enhanced due diligence (EDD)

Regulation 33(1) offers circumstances where there presents a high risk of money laundering or terrorist financing. In these situations EDD measures must be applied.

Regulation 33(6) sets out a list of factors that must be considered when assessing a high risk of money laundering and terrorist financing is present in a given situation and the extent of the EDD measures which must be applied as a result of this.

Under the regulations EDD measures must include, as a minimum, examining the background and purpose of the transaction and increasing your monitoring of the business relationship.

Simplified due diligence (SDD)

This occurs when you determine that the business relationship or transaction presents a low risk of money laundering or terrorist financing. This is a change from the 2007 regulations, under which SDD was the default option for a defined list of entities.

To help you determine this, Regulation 37(3) describes which situations possess a low risk of money laundering or terrorist financing.

Data protection

Regulation 40 requires you to keep a copy of the documents obtained to fulfill your CDD obligations and supporting records for five years after the end of the business relationship. After the five years has passed you must delete any personal data in those records unless stated otherwise by an authoritative party or you have the consent of the person whose data it is.

Regulation 41 refrains you from processing personal data for any purpose other than the agreed transaction, unless it is permitted under an enactment or you have the consent of the person whose data it is.

Staff training

You will need to provide staff with training on the new regulations which includes an obligation to make staff aware of the law on data protection.


As of 26th June 2018, acting as a beneficial owner, officer or manager of a firm without approval will be a criminal offence (unless you have applied and are awaiting your approval). You also need to apply for SRA approval if you are a sole practitioner. 


This aritlce was written by Adam Spencer at Career Legal. If you would like to discuss careers or hiring in the risk and compliance sector get in touch with Adam by email or over the phone: DD: 020 7382 4277 / Mob: 07738182711.





Post a Comment

Add your comment