AML Roadshow 2017 The New ML Regulations What

AML Roadshow 2017 The New ML Regulations: What they mean to you and your practice

Presentation Content Item Reminder: The AML Legislative Framework Money Laundering Regulations 2017 – An Overview ML Regulations 2017 – Overview of Specific Changes Firm Risk Assessment Client/Matter Risk Assessment Internal Controls/Training Customer Due Diligence Enhanced Due Diligence (& treatment of PEPs) Record Keeping & Data Protection AML Supervisory Requirements AML Data Submissions to the Society LSS Current Activity Summary Page

Reminder: The AML Legislative Framework International Financial Action Task Force (FATF) 40 + 9 Recommendations The FATF Recommendations set out a comprehensive framework and set of international standards to combat money laundering and terrorist financing, which countries use to form the basis of national legislation • The FATF Recommendations set out a E. U. The 4 th Money Laundering Directive EU issues MLDs in order to comply with FATF recommendations – enshrined into UK law via ML Regulations UK. ML Regulations 2017 • Risk Assessments, CDD, Appointment of MLRO, Policies & Procedures, Record Keeping, Training, Provision of information POCA 2002 • Principal money laundering offences • Offences of failing to report suspected money laundering • Offences of tipping off TACT 2000 • Establishes several offences - engaging in or facilitating terrorism, raising or possessing funds for terrorist purposes. • Establishes a list of proscribed organisations the Secretary of State believes are involved in terrorism • a failure to disclose offence and tipping offences LSS Practice Rules (2011) S B 6. 23 allow the Society to enforce ML Regulations, POCA & TACT within our membership and allows for disciplinary action where necessary

Money Laundering Regulations 2017 – An Overview l The Money Laundering, Terrorist Financing and Transfer of funds (Information on the Payer) Regulations 2017 were implemented into UK law on 26 th June. l These introduce an extension of the “risk-based approach” to AML Compliance – but are more prescriptive in terms of what firms should consider when implementing this approach l This is not a sea-change for our members - the fundamental tenets of AML compliance within the legal sector remain unchanged. Firms must still: l Undertake AML Risk Assessments of clients and transactions Undertake Client Due Diligence - know your clients, their background and the provenance of the funds in your client account Put in place AML Policies & Procedures - note, however, the new regulations state that you must maintain a written record of these Identify Politically Exposed Persons (PEPs) and apply enhanced due diligence where appropriate Appoint a Money Laundering Reporting Officer Provide relevant AML Training for your partners and staff Keep adequate records of AML related activities l There are some specific changes…. l l l

ML Regulations 2017 – Overview of Specific Changes What does your firm need to do differently? Some specific (but mostly minor) changes are contained within the following regulations: Regulation 18 19 & 21 Change Risk assessment methodology (including firm risk assessment) Policies & Internal Controls 24 Training 28 Customer Due Diligence Measures 33 Obligation to apply enhanced due diligence in certain circumstances 35 Extension of PEP status 40 & 41 Record Keeping & Data Protection responsibilities 42 -45 Beneficial Ownership Information & Requirements We will go through some of these in the following slides…

Firm Risk Assessment l l Firms are required to prepare a firm level risk assessment. This will involve taking reasonable steps to identify and assess the risks your firm faces, and keeping a written and up-to-date record of those steps you have taken. This is the cornerstone of your AML control framework When documenting your risk assessment, you should consider the potential AML risks around: l Your client base Where your clients, or their funds are coming from The services you are providing to your clients How you provide services to your clients Size and nature of your business Geographical location of practice l Further information is available on our website l The regulations also stipulate that the firm risk assessment take into consideration our supervisory risk assessment – available on our website Your risk assessment should be made available to the Society, upon request. l l l While it is not possible to prevent entirely the risk of being targeted by criminals, having a robust risk assessment will help justify the steps you took.

Client/Matter Risk Assessment l The new regulations are more prescriptive in terms of risk factors that must be considered l These specific factors are contained within Regulation 33 but generally, questions to ask and answers to document may be: • • • • How well do you know your client and background? Have you met the client face to face? Is the client co-operative in the CDD process? If the client is an entity – do you have full visibility of the beneficial owners and directors/controllers? Is instruction from the client channelled through a 3 rd party? How much direct interaction do you have with your client? Is your client a known criminal? Does the source of wealth/source of funds and amount of money involved stack up with what you know of your client? E. g. occupation/age? Is your client involved in/run a high risk or high cash turnover business? Does your client have connections to a jurisdiction where money laundering controls may not be as tight? Are funds being sent to/from any of these places? Is your client a Politically Exposed Person (PEP)? Is your client a sanctioned entity or individual – are they resident in a sanctioned country? Does the level and type of transaction fit the client's profile Does the transaction makes sense? Is it overly complex? Why? Does the client’s choice of representation (i. e. you!) make sense? Could the type of transaction be used for the purposes of money laundering (property purchase yes, writing a will – not so much…) Do you know where the money is coming from/the provenance of the funds • Risk should be assessed and documented across the life of the client relationship/matter. • • A risk assessment template is available on our website

Internal Controls/Training Unchanged Requirement to have appropriate written policies, controls & procedures in place, approved by senior management (ML Regulation 19). These must include provisions for: • Customer due diligence measures and ongoing monitoring; • Reporting; • Record-keeping; • Risk assessment and management; • The monitoring and management of compliance with, and the internal communication of, such policies and procedures • Determination of PEP status • Scrutiny of unusual transactions • Recommended that the policy also includes provisions in relation to training of staff • Appointment of an MLRO/Nominated Officer Changed/Additions Regulation 21 – “Internal Controls”, places additional requirements re: • • • Board Level Appointment (if relevant)* Employee Screening* External Audit * AML-related reporting to senior management Processes/systems to allow rapid response to law enforcement • Notification of MLRO/Board level Appointment to the LSS. * appropriate to the size and nature of your firm Regulation 24 – “Training”: • Specific requirement to maintain and record evidence of AML training to staff/partners/fee earners, including materials and training records. • This training must also now include training on data protection issues

Customer Due Diligence Unchanged Generally, the requirement to identify and verify your clients has not changed Identify: record Full Name, Residential Address & Date of Birth Verify: Undertaking a review/checking of these details using reliable independent sources - to ensure these details are genuine, and the client is who they say they are. Ideally – original passport/photo-card driving licence + original utility bill/bank statement (within 3 months). Remember - obtaining ID&V is NOT “Knowing Your Customer”!! Identifying Corporate Entities: Required for all Companies - Company Name, Registered Number, Business Address and Registered Address. If PLC or regulated – proof of listing, or proof of regulation. Also required for Private Companies: ID&V for Directors, those with =>25% shareholdings and any other person (natural or entity) exercising control over the Company. Bear in mind dilution Changed/Additions There is now a specific requirement to undertake CDD/ID&V checks when you become aware of any changes in the circumstances of your client: • • Identity/beneficial ownership changes Transactional profile changes Changes in the purpose/nature of the relationship Any other matter that arises which may affect your risk assessment of the client For corporate clients: • Firms must now identify and document the governance and constitutional structure of the entity (articles of association) • Identify and verify beneficial ownership structures • If the person instructing you is acting on behalf of an underlying client – you must also identify and verify that individual

Enhanced Due Diligence (& treatment of PEPs) Unchanged Changed/Additions Enhanced Due Diligence: When you have assessed the client/transactional risk as “high”: • Widened scope of circumstances where EDD should be applied application – Reg. 33(1) • More prescriptive in terms of risk factors which must be considered – Reg. 33(6) • Extended range of measures to be taken when applying enhanced due diligence • Standard Due Diligence (previous slide) + evidence of Source of wealth & Source of funds • Ongoing monitoring of the business relationship Politically Exposed Persons: • Previously, only foreign PEPs • Widened definition of PEPs – domestic (UK) included, senior members of international organisations

Record Keeping & Data Protection Unchanged Changed/Additions Firms must keep records of CDD material and supporting evidence and records in respect of the relevant business relationship or transaction Records must be kept in order to evidence compliance with the regulations and defend any allegations against the firm in relation to money laundering and failure to report offences. • Specific requirement to delete data used for purposes of fulfilling ML obligations after 5 years • If kept longer, must have valid business justification and client consent - terms of business amendment may be required Relevant records could be: • AML Policies, Procedures, Manuals • Risk Assessments • CDD Evidence • Evidence of staff training • Suspicious Activity Reports • E-Verification records • PEP/Sanction Screening Searches • Any data obtained for purposes of the regulations may only be used for the purposes of preventing ML/TF (unless waiver from the client is obtained) • The firm must inform the client of the above obligation. AML Procedures must outline what records are to be kept, the form in which they should be kept and the records retention period. Records should be kept for (at least) 5 years from the date on which the business relationship/transaction ends. New regulation 41 – Data Protection:

AML Supervisory Requirements l l l l l Deliver “risk based” supervision - base frequency and intensity of supervisory activity on risk profiling of our membership This means assessing the risk of individual firms, or segments of the membership. Supervisory functions to be “exercised independently of any of their functions which do not relate to disciplinary matters” • Handle sensitive information appropriately • “employ only persons with appropriate qualifications, integrity, professional skills” • “provide adequate resources” • “appoint a person to monitor and manage” compliance Undertake a sectoral risk assessment and publish Closer cooperation with HMT, NCA, OPBAS, other supervisory bodies Approval of “beneficial owners, officers, managers of firms” Register of firms “Board level person” & MLRO Capture of TCSP-related data Gather specific AML-related information from members to: • Inform our risk-assessment of the sector • Inform our risk-based approach to supervision • Fulfil our obligations to submit specified information to HMT Additional & significant new powers – public censure, imposing prohibitions on individuals, fines

AML Data Submissions to the Society l Further to member data already received by LSS (through Accounts certificates and other means) the Society is obliged to also capture information pertaining to: • • The number of members subject to LSS supervision The number of supervised persons who are individuals. The number of its supervised persons who act as trust or company service providers. The services provided by supervised persons. AML risks which member firms believe they are subject to AML systems, procedures and controls at member firms. Details of MLRO, Board Level person, Owners & Managers

Summary l Fundamentals of AML control remain as is – e. g. risk assessments, CDD, P&Ps, Training. l The new regulations introduce an extension of the risk-based approach, but they offer some help and guidance in terms of the risk factors which firms should be considered. Specific changes include: l Firm risk assessment – the cornerstone of your AML control framework l Enhanced internal controls relative to the size and nature of your firm l Enhanced training requirements-record keeping and data protection training l Requirement to refresh CDD should there be any changes in the client relationship l Increased CDD requirements re corporate clients l PEP definition widened to include domestic PEPs l Requirement to use AML information only for this purpose l Requirement to provide AM-related information to the Society l The Law Society itself has significant changes to make to ensure it complies with new requirements l The new UK-wide legal sectoral guidance will also offer support to firms – to be published shortly Our website is kept up-to-date and contains useful information, guides and templates Also look out forthcoming webinars and Journal articles l l